Fwd: Automatic key verification / CERT in DNS / RFC4398

Brad Knowles brad at stop.mail-abuse.org
Thu Apr 6 20:10:05 CEST 2006


At 12:59 PM +0200 2006-04-06, Werner Koch wrote:

>>  	Yeah, but that's probably 31.999999999999999999999999999 more
>>  bytes than you're storing in the DNS today (per user), and with tens
>>  of millions of users in a single flat zone, all that adds up really
>>  fast.
>
>  Please name another reliable directory service.  LDAP is far too heavy
>  and thus I believe DNS can be made workable for such goals much
>  easier.

	DNS is designed to be distributed, and to handle failures through 
replication, redundancy, and caching.

>  Do you think splitting the zones up in say  us.e.r._pka.example.net
>  would be helpful?

	Putting the zones in a hierarchy will certainly help.  That way 
you don't have to change and reload an entire zone with millions of 
users, each time that a single modification has to be made.

	However, I would be careful in choosing a particular hashing 
scheme that will be set in stone -- what is sustainable for a small 
site will be totally inappropriate for a large site.

>  And here we know that it works.  Consider all the people using
>  webmailers or POP3.  No problem at all to serve millions of users.

	Remember what kind of load it added to your web server when you 
switched everything over to SSL, and didn't allow any non-SSL 
connections?  Or what happened when you switched everyone over to 
POP3S or IMAPS exclusively, and didn't allow any unencrypted POP3 or 
IMAP connections?  You know those crypto accelerator cards that you 
had to add to all your webservers to support high levels of SSL usage?

	This is going to be orders of magnitude worse, since those uses 
of encryption are on a per-connection basis, and not per-message.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

  LOPSA member since December 2005.  See <http://www.lopsa.org/>.



More information about the Gnupg-devel mailing list