[doseta-discuss] Defining/deploying a key management service (Re: suggestions/concerns on spec)

[Dave CROCKER]

Mark,

On 6/2/2011 7:58 PM, Mark Nottingham wrote:
>> - Many people I talked to thought DNS would be difficult to deploy and
>> manage for a public key infrastructure.  I myself had difficulties finding
>> a DNS solution that I could embed in unit tests (even then I had to hack
>> it).
>
> +1. My thinking has been RFC5785 over HTTPS...


Perhaps I am missing something in that specification, but it appears to me to be 
nice-but-insufficient.  It seems a bit like saying that we need to specify the 
details of an automobile and thinking that a pointer to a catalog entry for 
tires will suffice.  A useful component, but a long way from a complete 
specification.  Worse, it might be like saying that we need a metropolitan 
transportation service and thinking that specifying a pointer to the tires for 
the buses is sufficient.

For the protocol specification phase of developing a criticial infrastructure 
service, the hard part is the set of parameters to the query and the set of 
parameters to the response.

The next hard part is getting the infrastructure operational -- creating server 
operations that have software and operations policies tailored to this 
specialized need, and populating the data base. I'll repeat an earlier point I 
made:  creating and operating a global service infrastructure is a very large 
effort.

Finding a high point of departure -- that is, finding an existing infrastructure 
to build upon -- is a very, very large win.  While the web is indeed an existing 
infrastructure, I'll claim that it is not nearly as high a point of departure as 
the DNS is, given the very considerable differences in administration and 
operations for the two services.

d/
-- 

   Dave Crocker
   Brandenburg InternetWorking
   bbiw.net