Fwd: Automatic key verification / CERT in DNS / RFC4398 (Was: [Announce] GnuPG 1.4.3 released)

Brad Knowles brad at stop.mail-abuse.org
Wed Apr 5 09:17:43 CEST 2006

At 10:28 PM -0400 2006-04-04, Danny Mayer wrote:

>  These three lead to one big question though:
>    Can we start doing automatic key verification for mail !?

	See DKIM.

>  This all though leads to a concern on the placing of the CERTS. Having a
>  large user base would mean that one has say 600k records or more in the
>  main zone for a domain, which gets reloaded every now and then when one
>  needs to update it.

	Think about ten million users, or fifty million.  Each user 
having several hundred bytes (or even several KB) of data stored for 
them.  Stored in the DNS.  In a single flat zone.  Bad idea.  Like, 
really bad idea.  Like, one of the worst DNS-related ideas I think 
I've ever heard of, at least in a very long time.

	And it shares most of the same problems in this respect with 
DKIM, if you try to push DKIM to process data at the individual level 
as opposed to the domain level.

	Very highly non-scalable.

>  Of course this will also require a lot of software to make it working,
>  but this is going in the right direction! :)

	Possibly, but I'm not convinced.  There's lots of scalability 
issues that need to be given some serious thought before you just 
leap into the fray and start spraying about large DNS records for 
each user, regardless of any other factors that are involved.

Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

  LOPSA member since December 2005.  See <http://www.lopsa.org/>.

More information about the Gnupg-devel mailing list