nanog mailing list archives

Re: DNSSEC and SSL

From: Jakob Schlyter <jakob () kirei se>
Date: Sun, 22 Aug 2010 11:46:41 +0200

On 22 aug 2010, at 03.00, ML wrote:

Would a future with a ubiquitous DNSSEC deployment eliminate the market
for commercial CAs?

Would functioning DNSSEC + self signed certs be more secure/trustworthy
than our current system of trusted CAs chosen by OS/browser developers?


For DV (domain validation) certificates one can definitely make that claim, but for EV (extended validation) I would 
see certificate validation in DNSSEC as a complement to EV.

DNSSEC and EV together looks like a promising combination.

Disclaimer: I am co-author of http://tools.ietf.org/html/draft-hoffman-keys-linkage-from-dns-00 (work in progress, see 
http://www.ietf.org/mailman/listinfo/keyassure for more information).


        jakob

Current thread:

Re: DNSSEC and SSL, (continued)
- - Re: DNSSEC and SSL ML (Aug 22)
    - Re: DNSSEC and SSL Mans Nilsson (Aug 22)
    - Re: DNSSEC and SSL bmanning (Aug 22)
    - Re: DNSSEC and SSL Wes Hardaker (Aug 23)
    - Re: DNSSEC and SSL Tony Finch (Aug 23)
    - Re: DNSSEC and SSL Curtis Maurand (Aug 23)
    - Re: DNSSEC and SSL Doug Barton (Aug 23)
    - Re: DNSSEC and SSL bmanning (Aug 22)
    - Re: DNSSEC and SSL Tony Finch (Aug 23)
    - Re: DNSSEC and SSL Jakob Schlyter (Aug 23)
- Re: DNSSEC and SSL Jakob Schlyter (Aug 22)
- Re: DNSSEC and SSL Rubens Kuhl (Aug 23)
  - Re: DNSSEC and SSL Barry Shein (Aug 23)