RE: PKI and S/MIME

["Blake Ramsdell" <blake@xxxxxxxxxxxxxxxxxx>]

> -----Original Message-----
> From: Anders Rundgren [mailto:anders.rundgren@xxxxxxxxx] 
> Sent: Wednesday, August 13, 2003 10:16 AM
> To: Blake Ramsdell; Simon Josefsson
> Cc: ietf-smime@xxxxxxx; 'Sean P. Turner'
> Subject: Re: PKI and S/MIME
> 
> I respect your work with DNS for location but is this really
> universal?  How about my anders.rundgren@xxxxxxxxx cert
> issued by VeriSign?  Would it be appropriate to require ISPs
> like Telia to maintain a directory pointing to various TTP CAs?
> 
> Or should ever domain-owner become a CA?

One thing to keep in mind is that I'm not sure that there is any clear
"universality" for *any* protocol that we might consider -- if there
existed something universal, we'd have a de facto standard that we'd
simply convert to an RFC and be done with it.

If I were going to hazard a guess about widely deployed public
certificate repositories, I would say that there would be a better
argument for LDAP than anything else.  Notice the careful wording here
;).  As much as the attempts to automatically map from an email address
to an LDAP directory containing a certificate for that email address
might not have progressed as well as we might like, I think that there
is some hope of that being addressed through the SRV record which is (as
far as I can tell) widely supported by DNS implementations.

A better question for the DNS distribution of certificates is whether or
not this smells like it would be the most likely thing to get deployed.
My understanding is that you would need DNS servers that supported the
particular record types required for this functionality, as well as
administrative tools to upgrade those records that are different than
typical DNS administration tools.  To me, that doesn't smell as good.

Blake