[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: why pgp sucks




Derek Atkins says:
> The only problem with piggybacking off the current DNS implementation
> is that DNS was designed for SMALL pieces of data (read: hostnames and
> IP addresses).  PGP keys are HUGE pieces of data, in respect, and DNS
> just wont handle the sizes.  For example, my PGP key is about 8k of
> data (approximately).  DNS would never be able to handle that!

Well, its already been modified to do it. Read the drafts by Eastlake
and Kaufman on DNS security, which basically means keys in the DNS and
signed DNS records.

> It its bigger than a single UDP packet DNS has trouble.

So you use TCP -- DNS already supports that. In any case, however, the
reassembly size and lowest common denominator MTUs are being jacked
way up for IPv6.

> No, while DNS is a perfect model for a distributed keyserver,
> it is by no means the implementation infrastructure that we want
> to use.

I very strongly disagree. Even today, we find more and more bugs in
DNS. If we had to start from scratch, we'd have to build an
infrastructure like DNS all over again, only to find that we suffer
from all the same old bugs and end up with a parallel implementation
that looks almost exactly like DNS only less reliable.

Perry