Fwd: Automatic key verification / CERT in DNS / RFC4398

Werner Koch wk at gnupg.org
Thu Apr 6 12:59:32 CEST 2006

On Wed, 5 Apr 2006 20:03:36 -0500, Brad Knowles said:

> 	I haven't looked that closely into DKIM, but I'll take you at 
> your word with regard to the weaknesses you describe.  However, this 
> doesn't mean that these weaknesses can't be fixed.

Experience has shown that designing such a protocol is very hard.
After about 8 years of OpenPGP the major problem new implementations
have are the canonization rules. The are really simple with OpenPGP:
trailing white space and line endings are the only things to care
about.  Still there are a lot of discussions about the edge cases.

How checkout the rules for DKIM or, shudder, XMLSIG.  They are really
really complicate.  Getting the protocol right and writing compatible
implementations will be major untertaking.  You won't see that the
next 10 years.

> 	Yeah, but that's probably 31.999999999999999999999999999 more 
> bytes than you're storing in the DNS today (per user), and with tens 
> of millions of users in a single flat zone, all that adds up really 
> fast.

Please name another reliable directory service.  LDAP is far too heavy
and thus I believe DNS can be made workable for such goals much

Do you think splitting the zones up in say  us.e.r._pka.example.net
would be helpful?

> for the entire domain to tell everyone how to access that web 
> server), then we've exchanged DNS server scalability (a subject I 
> have some familiarity with and something I care a great deal about) 
> for web server scalability (something I know less about, and which I 

And here we know that it works.  Consider all the people using
webmailers or POP3.  No problem at all to serve millions of users.



More information about the Gnupg-devel mailing list