[128977] in North American Network Operators' Group
Re: DNSSEC and SSL
daemon@ATHENA.MIT.EDU (Jakob Schlyter)
Sun Aug 22 05:47:15 2010
From: Jakob Schlyter <jakob@kirei.se>
In-Reply-To: <4C7076B5.9050103@kenweb.org>
Date: Sun, 22 Aug 2010 11:46:41 +0200
To: ML <ml@kenweb.org>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 22 aug 2010, at 03.00, ML wrote:
> Would a future with a ubiquitous DNSSEC deployment eliminate the =
market
> for commercial CAs?
>=20
> Would functioning DNSSEC + self signed certs be more =
secure/trustworthy
> than our current system of trusted CAs chosen by OS/browser =
developers?
For DV (domain validation) certificates one can definitely make that =
claim, but for EV (extended validation) I would see certificate =
validation in DNSSEC as a complement to EV.
DNSSEC and EV together looks like a promising combination.
Disclaimer: I am co-author of =
http://tools.ietf.org/html/draft-hoffman-keys-linkage-from-dns-00 (work =
in progress, see http://www.ietf.org/mailman/listinfo/keyassure for more =
information).
jakob
