% I was wondering if the best system to build a global PKI wouldn't be the
% DNS system already in place?
%
As others have pointed out, the DNS already has the capability
to store certs. So you could use the DNS as a publication
method. But is this the only thing a PKI needs? How would
one revolke a cert that was in the DNS? How can you update
-every- cached copy of the cert in question?
For this (among other) reason(s), the DNS can't really be
considered a PKI in any real sense.
--
--bill
