On 3/14/2016 20:18, Doug Barton wrote: > On 03/14/2016 03:25 PM, Mire, John wrote: >> On 3/14/2016 15:38, Doug Barton wrote: >> >> I think there is a system in place that works pretty well, keys are >> not 'siloed' in one place but are distributed to every keyserver for >> the public to see, its the sks openpgp keyservers. > I'm having trouble understanding your response, sorry. Are you saying > that the DNS method involving the fingerprint and retrieval from the key > server is better, or are you saying that no DNS method is necessary at all? > DNS is distributed from a hierarchical model from the top down, in it's nature it's siloed. So, for example john.doe.com, doug.barton.com and john.mire.com, each site has its pgp key info in it's dns server(s), no one else would have that info. If your site was DDS'd, I could'nt automatically get your public key from dns.john.mire.com or dns.john.doe.com and vice versa unless we setup secondary zones, it's not automatic and it has very little redundancy. In the keyserver world, if your keyserver was DDS'd, you could get your info from keyserver.john.mire.com or keyserver.john.doe.com or any other keyserver, if you knew the address. Also, as far as DR(disaster recovery) is concerned, if you didn't bring your keyserver(s) backup, your info would still be available and you could move forward unlike your dns, unless you offloaded it. This view is from my experience from my work, we have about 8500 people, that's a lot of entries already into dns for the machines, we are authoritative for our domain and don't have secondary zones, we have one keyserver but if it goes down, we can just use the keyserver pool.
/john _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
