[Cryptography] Certificates and PKI
Nico Williams
nico at cryptonector.com
Mon Dec 22 22:38:45 EST 2014
On Mon, Dec 22, 2014 at 01:33:53PM +0000, Ben Laurie wrote:
> On 21 December 2014 at 19:19, Viktor Dukhovni <cryptography at dukhovni.org> wrote:
> > * More progress needs to be made on the DNSSEC last-mile
> > problem,
>
> Indeed, this does appear to be the biggest blocker for DANE.
>
> But also: DANE puts registries and registrars in the roles of CA and
> RA. If we think CAs are not a good solution, how is it the
> registries/registrars magically are?
CAs weren't necessarily a bad solution. Unconstrained naming definitely
was.
DNSSEC (and therefore DANE) has that critical feature that PKIX only has
as-specified but never will as-deployed: naming constraints.
RAs might well be as awful as CAs. But at least they'll be constrained.
Then there's naming. x.500 naming is just. such. a. disaster.
People -perhaps every literate human with an Internet connection- are
conversant with domainnames. Perhaps three people outside this list
understand x.500 naming.
Naming constraints is PKIX's last-mile problem.
If you look at it this way, which horse has a better chance of winning?
Nico
--
More information about the cryptography
mailing list