John Gilmore wrote:
Rich $alz said:Ah, but that last is the kicker. I'm all for the whole DNSSEC-as-key-distribution model, but we're
We've been making it simpler in just about every release. Now youit might be more useful to create a user-friendly management interface to IPsec implementations to join the zero or so already
basically have to download the RPM, install it, it spits out a public
key, and you install that public in your DNS in-addr records. Then
a long way from it in practice. In your example above, there are actually two more
common versions of step 3: 1) user who doesn't even know he has a public key takes it
to the guy in charge of maintaining DNS for his installation and attempts to convince him
that he ought to put it in the user's machine's in-addr record. Or 2) home/roaming user
who has no effective DNS service for his endpoint from his ISP looks at his shiny new key
and wonders what to do. (Yes, in theory you could grease the wheels with clever use of
dynamic DNS, but it's not currently deployed in a way that will help most people with this
problem.)
--Diana
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
