Fwd: Automatic key verification / CERT in DNS / RFC4398
(Was: [Announce] GnuPG 1.4.3 released)
brad at stop.mail-abuse.org
Wed Apr 5 09:17:43 CEST 2006
At 10:28 PM -0400 2006-04-04, Danny Mayer wrote:
> These three lead to one big question though:
> Can we start doing automatic key verification for mail !?
> This all though leads to a concern on the placing of the CERTS. Having a
> large user base would mean that one has say 600k records or more in the
> main zone for a domain, which gets reloaded every now and then when one
> needs to update it.
Think about ten million users, or fifty million. Each user
having several hundred bytes (or even several KB) of data stored for
them. Stored in the DNS. In a single flat zone. Bad idea. Like,
really bad idea. Like, one of the worst DNS-related ideas I think
I've ever heard of, at least in a very long time.
And it shares most of the same problems in this respect with
DKIM, if you try to push DKIM to process data at the individual level
as opposed to the domain level.
Very highly non-scalable.
> Of course this will also require a lot of software to make it working,
> but this is going in the right direction! :)
Possibly, but I'm not convinced. There's lots of scalability
issues that need to be given some serious thought before you just
leap into the fray and start spraying about large DNS records for
each user, regardless of any other factors that are involved.
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
LOPSA member since December 2005. See <http://www.lopsa.org/>.
More information about the Gnupg-devel