[Cryptography] Certificates and PKI

Nico Williams nico at cryptonector.com
Mon Dec 22 22:38:45 EST 2014

On Mon, Dec 22, 2014 at 01:33:53PM +0000, Ben Laurie wrote:
> On 21 December 2014 at 19:19, Viktor Dukhovni <cryptography at dukhovni.org> wrote:
> >     * More progress needs to be made on the DNSSEC last-mile
> >       problem,
> Indeed, this does appear to be the biggest blocker for DANE.
> But also: DANE puts registries and registrars in the roles of CA and
> RA. If we think CAs are not a good solution, how is it the
> registries/registrars magically are?

CAs weren't necessarily a bad solution.  Unconstrained naming definitely

DNSSEC (and therefore DANE) has that critical feature that PKIX only has
as-specified but never will as-deployed: naming constraints.

RAs might well be as awful as CAs.  But at least they'll be constrained.

Then there's naming.  x.500 naming is just. such. a. disaster.

People -perhaps every literate human with an Internet connection- are
conversant with domainnames.  Perhaps three people outside this list
understand x.500 naming.

Naming constraints is PKIX's last-mile problem.

If you look at it this way, which horse has a better chance of winning?


More information about the cryptography mailing list