[OpenID] OpenID as a PKI facilitator

Ben Laurie benl at google.com
Sat Apr 7 10:53:36 UTC 2007 

On 4/7/07, Dick Hardt <dick at sxip.com> wrote:
> Hmmm ... that is not how I understood it worked from talking to Ben Laurie.
>
> Ben: would seem pretty heavy if zone file was needed to store a key in a
> record. Is this true?

No. But nor is that what David said: he said a separate zone was
needed for each signing key. Which is true.

What I can't figure out from what has been written in this thread what
exactly you are trying to do, or why it would involve multiple signing
keys - from what I'm reading, you want to publish a key per user,
signed by some authority, which you can do in a single zone. But I'm
guessing wildly.

>
> -- Dick
>
>
> On 6-Apr-07, at 5:48 PM, Recordon, David wrote:
>
>
> I thought that as well, but verified that with one of the authors of some of
> the DNSSEC RFCs before sending my note.
>
>  --David
>
>
>   -----Original Message-----
>  From:   Dick Hardt [mailto:dick at sxip.com]
>  Sent:   Friday, April 06, 2007 05:42 PM Pacific Standard Time
>  To:     Recordon, David
>  Cc:     Nic James Ferrier; OpenID General
>  Subject:        Re: [OpenID] OpenID as a PKI facilitator
>
>  Agreed that DNSSEC would require access to DNS records.
>
>  I would imagine that the user level key would be a DNS record rather
>  then each user have a separate zone.
>
>  -- Dick
>
>  On 6-Apr-07, at 2:43 PM, Recordon, David wrote:
>
>  > DNSSEC also requires access to the DNS records to change versus
>  > hosting
>  > a key via your existing application.  In addition, DNSSEC requires a
>  > different zone file for each signing key, meaning the overhead of DNS
>  > server management also increase.  As used today, a wildcard DNS entry
>  > such as *.pip.verisignlabs.com would no longer be useful for each
>  > user,
>  > rather each user would have to have a separate entry with a unique key
>  > in a unique zone.  I thus think that while this may seem like a great
>  > solution, the deployment headaches would make it impractical.
>  >
>  > --David
>  >
>  > -----Original Message-----
>  > From: general-bounces at openid.net [mailto:general-
>  > bounces at openid.net] On
>  > Behalf Of Nic James Ferrier
>  > Sent: Friday, April 06, 2007 1:43 PM
>  > To: Dick Hardt
>  > Cc: OpenID General
>  > Subject: Re: [OpenID] OpenID as a PKI facilitator
>  >
>  > Dick Hardt <dick at sxip.com> writes:
>  >
>  >> DNSSEC is another potential way for a global PKI to be deployed.
>  >
>  > I love DNSSEC as a solution. It rocks.
>  >
>  > Trouble is, it's another of those solutions that's going to take a
>  > long
>  > time to get out there.
>  >
>  > When I talk to colleagues about DNSSEC they are mostly uninterested.
>  >
>  > Pity.
>  >
>  >
>  > --
>  > Nic Ferrier
>  > http://www.tapsellferrier.co.uk
>  > _______________________________________________
>  > general mailing list
>  > general at openid.net
>  > http://openid.net/mailman/listinfo/general
>  >
>  >
>
>
>

More information about the general mailing list