Matt Blaze <mab@crypto.com> writes:
More seriously, the problem that Perry brought up is that it's hard to deploy any kind of scaleable key distribution infrastructure that works with PGP (as it currently exists - and yes, I realize there are work-arounds for some specific situations).
Could you have a distributed database where you lookup by key ID and get a key? Or is there a constraint that the key distribution infrastructure has to be part of the DNS?
I could see a set of key servers where one deals with all keys that start with 0x00, the next has all keys which start with 0x01, etc. This makes it easy to know which server to go to in order to look up a given key ID.
Hal
Well, you could do that, but it has the disadvantage that you can't or control what server a particular key would end up on. One of the nice things about DNS-like systems is that a domain is responsible for providing the resources to provide lookups within it. If I add a machine to crypto.com, I add it to the crypto.com name server (plus the secondary servers, but that's a detail that gets handled automatically). Everyone knows to come here if they want to resolve a crypto.com name. In the case of PGP key IDs, you could create an artificial hierarchy of numbers for the purpose of offloading work among several servers, but that doesn't solve the hard problem, which is letting _me_ (or my designee) control (and be responsible for) the distribution of keys in _my_ domain. (When someone generates a new key it could end up anywhere in the kind of hierarchy you described). I don't think it's clear yet, by the way, that domain names are the right model for personal key distribution (in particular, it assumes that keys are being distributed on-line and deals only awkwardly with semi- off-line clients, as anyone who travels with a sometimes-networked laptop knows. It also assumes that the distribution hierarchy can be mapped atop the lookup keys namespace, which makes it hard to use for anything that isn't hierarchically formed). It's probably one of the important options, though, since it scales so well and has a successfully fielded history in DNS. -matt