[Cryptography] "Trust in digital certificate ecosystem eroding"

Viktor Dukhovni cryptography at dukhovni.org
Mon May 4 17:07:42 EDT 2015

On Mon, May 04, 2015 at 02:16:52PM +0100, Ben Laurie wrote:

> Why? DNSSEC has its equivalent of CAs/RAs: registries and registrars.
> Why do you think they'll do any better a job of verifying ownership
> than CAs do?

Because they don't need to verify anything.  The domain is registered
with them, the account holder is the domain owner by *definition*.

The problem they have is not verification of ownership, rather it
is an account security problem.  Compromise of registrar login
accounts (social engineering password resets, ...) is the problem
to solve.

This is rather different from the much weaker "verification" (none
really) performed by CAs for DV certs.

Yes, there is still a problem to address, for many registrars, the
account security is not very strong.  Domain owners may shop around
for a registrar with better practices when protecting a high-value


More information about the cryptography mailing list