[OpenID] OpenID as a PKI facilitator
Ben Laurie
benl at google.com
Sat Apr 7 10:53:36 UTC 2007
On 4/7/07, Dick Hardt <dick at sxip.com> wrote:
> Hmmm ... that is not how I understood it worked from talking to Ben Laurie.
>
> Ben: would seem pretty heavy if zone file was needed to store a key in a
> record. Is this true?
No. But nor is that what David said: he said a separate zone was
needed for each signing key. Which is true.
What I can't figure out from what has been written in this thread what
exactly you are trying to do, or why it would involve multiple signing
keys - from what I'm reading, you want to publish a key per user,
signed by some authority, which you can do in a single zone. But I'm
guessing wildly.
>
> -- Dick
>
>
> On 6-Apr-07, at 5:48 PM, Recordon, David wrote:
>
>
> I thought that as well, but verified that with one of the authors of some of
> the DNSSEC RFCs before sending my note.
>
> --David
>
>
> -----Original Message-----
> From: Dick Hardt [mailto:dick at sxip.com]
> Sent: Friday, April 06, 2007 05:42 PM Pacific Standard Time
> To: Recordon, David
> Cc: Nic James Ferrier; OpenID General
> Subject: Re: [OpenID] OpenID as a PKI facilitator
>
> Agreed that DNSSEC would require access to DNS records.
>
> I would imagine that the user level key would be a DNS record rather
> then each user have a separate zone.
>
> -- Dick
>
> On 6-Apr-07, at 2:43 PM, Recordon, David wrote:
>
> > DNSSEC also requires access to the DNS records to change versus
> > hosting
> > a key via your existing application. In addition, DNSSEC requires a
> > different zone file for each signing key, meaning the overhead of DNS
> > server management also increase. As used today, a wildcard DNS entry
> > such as *.pip.verisignlabs.com would no longer be useful for each
> > user,
> > rather each user would have to have a separate entry with a unique key
> > in a unique zone. I thus think that while this may seem like a great
> > solution, the deployment headaches would make it impractical.
> >
> > --David
> >
> > -----Original Message-----
> > From: general-bounces at openid.net [mailto:general-
> > bounces at openid.net] On
> > Behalf Of Nic James Ferrier
> > Sent: Friday, April 06, 2007 1:43 PM
> > To: Dick Hardt
> > Cc: OpenID General
> > Subject: Re: [OpenID] OpenID as a PKI facilitator
> >
> > Dick Hardt <dick at sxip.com> writes:
> >
> >> DNSSEC is another potential way for a global PKI to be deployed.
> >
> > I love DNSSEC as a solution. It rocks.
> >
> > Trouble is, it's another of those solutions that's going to take a
> > long
> > time to get out there.
> >
> > When I talk to colleagues about DNSSEC they are mostly uninterested.
> >
> > Pity.
> >
> >
> > --
> > Nic Ferrier
> > http://www.tapsellferrier.co.uk
> > _______________________________________________
> > general mailing list
> > general at openid.net
> > http://openid.net/mailman/listinfo/general
> >
> >
>
>
>
More information about the general
mailing list