[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: swipe working on infinity.c2.org




Alastair McKinstry says:
> What do yo see as the problem with this (PGP keys) ? What kind of
> key management architecture would you recommend ?

Well, as I said, just as one example, its too hard to reverse map key
IDs into the entities that possess the keys. I'm thinking these days
in terms of building an infrastructure in which a large fraction of
the net can run "in black", which means you need good automated key
management. To do that, you need distributed databases. Databases like
DNS work very nicely for this purpose. Now, DNS can reverse map IP
addresses because IP addresses are structured so it is possible to
assume that if you have delegation over a set of them that you likely
have the forward maps as well. However, you can't build something like
that to handle random PGP key IDs. That means that if you want to be
able to look up key IDs automatically in a network wide DNS style
database, you lose. Key IDs need structure so you can trace them to
organizations with delegation over particular sections of the
keyspace, just as in DNS you have structure to domain names so you can
figure out who has delegation over what part of the domain name space.

Anyway, this is the sort of thing I'm thinking about these days.

Perry