nanog mailing list archives
Re: DNSSEC and SSL
From: Jakob Schlyter <jakob () kirei se>
Date: Sun, 22 Aug 2010 11:46:41 +0200
On 22 aug 2010, at 03.00, ML wrote:
Would a future with a ubiquitous DNSSEC deployment eliminate the market for commercial CAs? Would functioning DNSSEC + self signed certs be more secure/trustworthy than our current system of trusted CAs chosen by OS/browser developers?
For DV (domain validation) certificates one can definitely make that claim, but for EV (extended validation) I would see certificate validation in DNSSEC as a complement to EV. DNSSEC and EV together looks like a promising combination. Disclaimer: I am co-author of http://tools.ietf.org/html/draft-hoffman-keys-linkage-from-dns-00 (work in progress, see http://www.ietf.org/mailman/listinfo/keyassure for more information). jakob
Current thread:
- Re: DNSSEC and SSL, (continued)
- Re: DNSSEC and SSL ML (Aug 22)
- Re: DNSSEC and SSL Mans Nilsson (Aug 22)
- Re: DNSSEC and SSL bmanning (Aug 22)
- Re: DNSSEC and SSL Wes Hardaker (Aug 23)
- Re: DNSSEC and SSL Tony Finch (Aug 23)
- Re: DNSSEC and SSL Curtis Maurand (Aug 23)
- Re: DNSSEC and SSL Doug Barton (Aug 23)
- Re: DNSSEC and SSL ML (Aug 22)
- Re: DNSSEC and SSL bmanning (Aug 22)
- Re: DNSSEC and SSL Tony Finch (Aug 23)
- Re: DNSSEC and SSL Jakob Schlyter (Aug 23)
- Re: DNSSEC and SSL Barry Shein (Aug 23)