[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DNSSEC and SSL

Subject: DNSSEC and SSL
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Sun, 22 Aug 2010 08:38:03 +0200 (CEST)
In-reply-to: <[email protected]>
References: <[email protected]>

On Sat, 21 Aug 2010, ML wrote:

> Would a future with a ubiquitous DNSSEC deployment eliminate the market
> for commercial CAs?

No, but it might eliminate the cheapest certs that people might use. I'd 
like my personal server to have a self-signed cert with it's fingerprint 
handled via DNSSEC, because I don't want to pay a CA.

> Would functioning DNSSEC + self signed certs be more secure/trustworthy 
> than our current system of trusted CAs chosen by OS/browser developers?

No, because DNSSEC isn't secured all the way from the DNS server to the 
application, only to the resolver. Both systems have problems, I'd imagine 
the best security is when they work together.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

Follow-Ups:
- DNSSEC and SSL
  - From: ml at kenweb.org (ML)

References:
- DNSSEC and SSL
  - From: ml at kenweb.org (ML)

Prev by Date: DNSSEC and SSL
Next by Date: end-user ipv6 deployment and concerns about privacy
Previous by thread: DNSSEC and SSL
Next by thread: DNSSEC and SSL
Index(es):
- Date
- Thread