[Cryptography] Certificates and PKI

Randy Bush randy at psg.com
Mon Dec 22 09:02:28 EST 2014

> But also: DANE puts registries and registrars in the roles of CA and
> RA.

not exactly.  it is the zone owners.  but yes, you can be hijacked up
the tree.  luckily this is not a problem with current CAs </sarcasm>.

> If we think CAs are not a good solution, how is it the
> registries/registrars magically are?

price?  the dns hierarchy at least gives you some place to complain,
though admittidely with not a lot more effect.  but with DANE, i can
take my zone and TLSA and move them to a different regiatrar for ten


the internet is not a hierarchy, a police state is.

More information about the cryptography mailing list