[doseta-discuss] Defining/deploying a key management service (Re: suggestions/concerns on spec)

Mark Nottingham mnot at mnot.net
Sun Jun 5 20:08:14 PDT 2011 

On 04/06/2011, at 12:12 AM, Dave CROCKER wrote:

> Mark,
> 
> On 6/2/2011 7:58 PM, Mark Nottingham wrote:
>>> - Many people I talked to thought DNS would be difficult to deploy and
>>> manage for a public key infrastructure.  I myself had difficulties finding
>>> a DNS solution that I could embed in unit tests (even then I had to hack
>>> it).
>> 
>> +1. My thinking has been RFC5785 over HTTPS...
> 
> 
> Perhaps I am missing something in that specification, but it appears to me to be nice-but-insufficient.  It seems a bit like saying that we need to specify the details of an automobile and thinking that a pointer to a catalog entry for tires will suffice.  A useful component, but a long way from a complete specification.  Worse, it might be like saying that we need a metropolitan transportation service and thinking that specifying a pointer to the tires for the buses is sufficient.

Of course. You have to start somewhere.


> For the protocol specification phase of developing a criticial infrastructure service, the hard part is the set of parameters to the query and the set of parameters to the response.

I'm not sure how we got there; for my use case, a single key for the site might be sufficient.


> The next hard part is getting the infrastructure operational -- creating server operations that have software and operations policies tailored to this specialized need, and populating the data base. I'll repeat an earlier point I made:  creating and operating a global service infrastructure is a very large effort.

?!?


> Finding a high point of departure -- that is, finding an existing infrastructure to build upon -- is a very, very large win.  While the web is indeed an existing infrastructure, I'll claim that it is not nearly as high a point of departure as the DNS is, given the very considerable differences in administration and operations for the two services.

Most people who run Web sites (again, my use case-centric) are much more comfortable working with flat files on a HTTP server than making DNS entries, especially if they have new record types. YMMV.

Cheers,


> 
> d/
> -- 
> 
>  Dave Crocker
>  Brandenburg InternetWorking
>  bbiw.net
> _______________________________________________
> doseta-discuss mailing list
> doseta-discuss at trusteddomain.org
> http://www.trusteddomain.org/mailman/listinfo/doseta-discuss

--
Mark Nottingham   http://www.mnot.net/

More information about the doseta-discuss mailing list