[Cryptography] Certificates and PKI

Ben Laurie ben at links.org
Tue Dec 23 05:56:47 EST 2014

On 22 December 2014 at 16:10, Paul Hoffman <paul.hoffman at vpnc.org> wrote:
> On Dec 22, 2014, at 5:33 AM, Ben Laurie <ben at links.org> wrote:
>> But also: DANE puts registries and registrars in the roles of CA and
>> RA. If we think CAs are not a good solution, how is it the
>> registries/registrars magically are?
> Not "magically", but systematically. Every domain owner has chosen a registry, and possibly a registrar (some registries do not have registrars). There is an established business relationship with the registry that means that you trust them with serving your name correctly. There is fate-sharing between the name you registered and the contents that the registry advertises. Given that fate-sharing, they are in a position to attach any DNS-specific semantics to your name, such as the DS records.

I'm not getting the distinction you're making here. This sounds pretty
much exactly like the relationship you have with a CA...

More information about the cryptography mailing list