John C Klensin wrote:
With the understanding that it has failed often enough to bring
the whole CA system into disgrace as well helping to motivate
X.509 changes to allow noting levels of authentication, there is
at least some moral responsibility on the issuers of certs (for
web sites or otherwise) to verify identity. There is, in
general, no such obligation on DNS registrars.
I'm confused by this text. The letsencrypt CA that is about to go live in
a couple of months will issue certificates automatically to any piece of
software that can prove control over a domain.
How is that different from DNSSEC?
The most common type of certificate used by the websites I visit is domain
validated, which is exactly: this cert is issued to whoever controls the
domain. Nothing about identity, etc.
Then there are extended validation certificates which are supposed to be issued
only after verifying the identity of the requesting party. But those are
pretty rare.