[Cryptography] Certificates and PKI

Paul Hoffman paul.hoffman at vpnc.org
Mon Dec 22 11:10:40 EST 2014

On Dec 22, 2014, at 5:33 AM, Ben Laurie <ben at links.org> wrote:
> But also: DANE puts registries and registrars in the roles of CA and
> RA. If we think CAs are not a good solution, how is it the
> registries/registrars magically are?

Not "magically", but systematically. Every domain owner has chosen a registry, and possibly a registrar (some registries do not have registrars). There is an established business relationship with the registry that means that you trust them with serving your name correctly. There is fate-sharing between the name you registered and the contents that the registry advertises. Given that fate-sharing, they are in a position to attach any DNS-specific semantics to your name, such as the DS records.

--Paul Hoffman

More information about the cryptography mailing list