On Mon, Feb 08, 2010 at 09:01:23AM +0100, Stephane Bortzmeyer wrote:
Very bad idea because it does not scale: I, sysadmin of a validating resolver, certainly cannot go to 42 different https Web pages to extract the one and only authoritative information.
well, this may not lead anywhere useful. If you "cannot" make the conscious decision to configure and maintain a set of trust anchors, then there's a variety of options, including "do nothing". This WG has made a statement regarding the unsolicited inclusion of trust anchors in "some" distribution mechanisms in the past and there was also the list of requirements for TARs, which included prior consent of the party responsible for the KSK/TA. Unfortunately, helpful deployment initiatives have turned into obstacles more than once. -Peter