[128974] in North American Network Operators' Group
Re: DNSSEC and SSL
daemon@ATHENA.MIT.EDU (Mikael Abrahamsson)
Sun Aug 22 02:38:16 2010
Date: Sun, 22 Aug 2010 08:38:03 +0200 (CEST)
From: Mikael Abrahamsson <swmike@swm.pp.se>
To: ML <ml@kenweb.org>
In-Reply-To: <4C7076B5.9050103@kenweb.org>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sat, 21 Aug 2010, ML wrote:
> Would a future with a ubiquitous DNSSEC deployment eliminate the market
> for commercial CAs?
No, but it might eliminate the cheapest certs that people might use. I'd
like my personal server to have a self-signed cert with it's fingerprint
handled via DNSSEC, because I don't want to pay a CA.
> Would functioning DNSSEC + self signed certs be more secure/trustworthy
> than our current system of trusted CAs chosen by OS/browser developers?
No, because DNSSEC isn't secured all the way from the DNS server to the
application, only to the resolver. Both systems have problems, I'd imagine
the best security is when they work together.
--
Mikael Abrahamsson email: swmike@swm.pp.se
