<HTML><BODY style="word-wrap: break-word; -khtml-nbsp-mode: space; -khtml-line-break: after-white-space; ">Hmmm ... that is not how I understood it worked from talking to Ben Laurie.<DIV><BR class="khtml-block-placeholder"></DIV><DIV>Ben: would seem pretty heavy if zone file was needed to store a key in a record. Is this true?<DIV><BR class="khtml-block-placeholder"></DIV><DIV>-- Dick</DIV><DIV><BR><DIV><DIV>On 6-Apr-07, at 5:48 PM, Recordon, David wrote:</DIV><BR class="Apple-interchange-newline"><BLOCKQUOTE type="cite"> <P><FONT size="2">I thought that as well, but verified that with one of the authors of some of the DNSSEC RFCs before sending my note.<BR> <BR> --David<BR> <BR> <BR> -----Original Message-----<BR> From: Dick Hardt [<A href="mailto:dick@sxip.com">mailto:dick@sxip.com</A>]<BR> Sent: Friday, April 06, 2007 05:42 PM Pacific Standard Time<BR> To: Recordon, David<BR> Cc: Nic James Ferrier; OpenID General<BR> Subject: Re: [OpenID] OpenID as a PKI facilitator<BR> <BR> Agreed that DNSSEC would require access to DNS records.<BR> <BR> I would imagine that the user level key would be a DNS record rather <BR> then each user have a separate zone.<BR> <BR> -- Dick<BR> <BR> On 6-Apr-07, at 2:43 PM, Recordon, David wrote:<BR> <BR> > DNSSEC also requires access to the DNS records to change versus <BR> > hosting<BR> > a key via your existing application. In addition, DNSSEC requires a<BR> > different zone file for each signing key, meaning the overhead of DNS<BR> > server management also increase. As used today, a wildcard DNS entry<BR> > such as *.pip.verisignlabs.com would no longer be useful for each <BR> > user,<BR> > rather each user would have to have a separate entry with a unique key<BR> > in a unique zone. I thus think that while this may seem like a great<BR> > solution, the deployment headaches would make it impractical.<BR> ><BR> > --David<BR> ><BR> > -----Original Message-----<BR> > From: <A href="mailto:general-bounces@openid.net">general-bounces@openid.net</A> [<A href="mailto:general-">mailto:general-</A><BR> > <A href="mailto:bounces@openid.net">bounces@openid.net</A>] On<BR> > Behalf Of Nic James Ferrier<BR> > Sent: Friday, April 06, 2007 1:43 PM<BR> > To: Dick Hardt<BR> > Cc: OpenID General<BR> > Subject: Re: [OpenID] OpenID as a PKI facilitator<BR> ><BR> > Dick Hardt <<A href="mailto:dick@sxip.com">dick@sxip.com</A>> writes:<BR> ><BR> >> DNSSEC is another potential way for a global PKI to be deployed.<BR> ><BR> > I love DNSSEC as a solution. It rocks.<BR> ><BR> > Trouble is, it's another of those solutions that's going to take a <BR> > long<BR> > time to get out there.<BR> ><BR> > When I talk to colleagues about DNSSEC they are mostly uninterested.<BR> ><BR> > Pity.<BR> ><BR> ><BR> > --<BR> > Nic Ferrier<BR> > <A href="http://www.tapsellferrier.co.uk">http://www.tapsellferrier.co.uk</A><BR> > _______________________________________________<BR> > general mailing list<BR> > <A href="mailto:general@openid.net">general@openid.net</A><BR> > <A href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</A><BR> ><BR> ><BR> <BR> </FONT> </P> </BLOCKQUOTE></DIV><BR></DIV></DIV></BODY></HTML>