[doseta-discuss] Defining/deploying a key management service (Re: suggestions/concerns on spec)

Bill Burke bburke at redhat.com
Mon Jun 6 05:00:16 PDT 2011 


On 6/5/11 11:08 PM, Mark Nottingham wrote:
>
> On 04/06/2011, at 12:12 AM, Dave CROCKER wrote:
>
>> Mark,
>>
>> On 6/2/2011 7:58 PM, Mark Nottingham wrote:
>>>> - Many people I talked to thought DNS would be difficult to deploy and
>>>> manage for a public key infrastructure.  I myself had difficulties finding
>>>> a DNS solution that I could embed in unit tests (even then I had to hack
>>>> it).
>>>
>>> +1. My thinking has been RFC5785 over HTTPS...
>>
>>
>> Perhaps I am missing something in that specification, but it appears to me to be nice-but-insufficient.  It seems a bit like saying that we need to specify the details of an automobile and thinking that a pointer to a catalog entry for tires will suffice.  A useful component, but a long way from a complete specification.  Worse, it might be like saying that we need a metropolitan transportation service and thinking that specifying a pointer to the tires for the buses is sufficient.
>
> Of course. You have to start somewhere.
>
>
>> For the protocol specification phase of developing a criticial infrastructure service, the hard part is the set of parameters to the query and the set of parameters to the response.
>
> I'm not sure how we got there; for my use case, a single key for the site might be sufficient.
>
>
>> The next hard part is getting the infrastructure operational -- creating server operations that have software and operations policies tailored to this specialized need, and populating the data base. I'll repeat an earlier point I made:  creating and operating a global service infrastructure is a very large effort.
>
> ?!?
>
>
>> Finding a high point of departure -- that is, finding an existing infrastructure to build upon -- is a very, very large win.  While the web is indeed an existing infrastructure, I'll claim that it is not nearly as high a point of departure as the DNS is, given the very considerable differences in administration and operations for the two services.
>
> Most people who run Web sites (again, my use case-centric) are much more comfortable working with flat files on a HTTP server than making DNS entries, especially if they have new record types. YMMV.
>

Is any doseta solution prevented from catering to the app-dev crowd?  Or 
does any solution have to fit exclusively for the needs of the Internet? 
  Why not have a recommended internet deployment solution (DNS/DKIM) and 
allow for flexibility with an alternative/optional 'uri' field.

As I said in a previous email, I know a number of users will want to use 
their LDAP or Active Directory server to publish security metadata like 
public keys.  I'm guessing some will not even want to embed metadata on 
how to find a public key as some of these IT people are a little crazy 
over securing things.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the doseta-discuss mailing list