[Cryptography] "Trust in digital certificate ecosystem eroding"

Ben Laurie ben at links.org
Mon May 4 09:16:52 EDT 2015


On 3 May 2015 at 23:45, Christian Huitema <huitema at huitema.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Sunday, May 3, 2015, at 11:02 AM, Guido Witmond wrote:
>> ...
>> With DNSSEC and DANE, the site-owner *specifies* which CA is the correct
>> one *for their own site*.
>
> Yes. And this is indeed the right way to look at the problem. Not "does this certificate chain verifies according to the rules of WebPKI" but "can we verify that this is the certificate that the server domain intended to use." DNSSEC could be a great tool for that.

Why? DNSSEC has its equivalent of CAs/RAs: registries and registrars.
Why do you think they'll do any better a job of verifying ownership
than CAs do?


More information about the cryptography mailing list