DNS CERT vs. LDAP (was: RE: PKI and S/MIME)

["Blake Ramsdell" <blake@brutesquadlabs.com>]

> -----Original Message-----
> From: Simon Josefsson [mailto:jas@extundo.com] 
> Sent: Wednesday, August 13, 2003 4:46 PM
> To: Blake Ramsdell
> Cc: 'Anders Rundgren'; ietf-smime@imc.org; 'Sean P. Turner'
> Subject: Re: PKI and S/MIME
> 
> I believe that what is lacking is not a technical solution (DNS CERT
> RR, LDAP and SRV, etc) but a guideline document, supported by the
> S/MIME community, that you can point at when e-mail application makers
> ask question such as the one that started this thread.

Yes, this was the way I indeed started this thread ("PKI and S/MIME"),
by saying "select relevant other work and profile it for use in the
S/MIME interpersonal messaging domain" ;).  I think we're on the same
page.

My only point about LDAP is that I wanted to illustrate some of the
criteria for any potential profile by comparing two certificate
repository methods, and pointing out what I believe is a relevant
difference.

> One reason why the DNS CERT solution has been proposed, may be that
> the LDAP via SRV idea hasn't been fully documented in a Internet-wide
> S/MIME environment, leaving the problem unsolved.

But once again, if someone held a gun to my head and told me to try and
guess if CERT records and the infrastructure to maintain them would
achieve traction before LDAP and SRV records would, I would say LDAP and
SRV records.  This may be a matter of personal taste, but I like to
think that it is a practical answer based on limited experience with
managing my own domains.

> > as well as administrative tools to upgrade those records that are
> > different than typical DNS administration tools.
> 
> Yes, someone, somewhere will have to do work to make the idea happen.

I think the question is whether or not "someone, somewhere" for DNS CERT
records is better than "been there, done that" for LDAP or other
repositories.

Blake