Fwd: Automatic key verification / CERT in DNS /
brad at stop.mail-abuse.org
Thu Apr 6 20:10:05 CEST 2006
At 12:59 PM +0200 2006-04-06, Werner Koch wrote:
>> Yeah, but that's probably 31.999999999999999999999999999 more
>> bytes than you're storing in the DNS today (per user), and with tens
>> of millions of users in a single flat zone, all that adds up really
> Please name another reliable directory service. LDAP is far too heavy
> and thus I believe DNS can be made workable for such goals much
DNS is designed to be distributed, and to handle failures through
replication, redundancy, and caching.
> Do you think splitting the zones up in say us.e.r._pka.example.net
> would be helpful?
Putting the zones in a hierarchy will certainly help. That way
you don't have to change and reload an entire zone with millions of
users, each time that a single modification has to be made.
However, I would be careful in choosing a particular hashing
scheme that will be set in stone -- what is sustainable for a small
site will be totally inappropriate for a large site.
> And here we know that it works. Consider all the people using
> webmailers or POP3. No problem at all to serve millions of users.
Remember what kind of load it added to your web server when you
switched everything over to SSL, and didn't allow any non-SSL
connections? Or what happened when you switched everyone over to
POP3S or IMAPS exclusively, and didn't allow any unencrypted POP3 or
IMAP connections? You know those crypto accelerator cards that you
had to add to all your webservers to support high levels of SSL usage?
This is going to be orders of magnitude worse, since those uses
of encryption are on a per-connection basis, and not per-message.
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
LOPSA member since December 2005. See <http://www.lopsa.org/>.
More information about the Gnupg-devel