On Sat, Dec 26, 2015 at 3:22 PM, Alexey Eromenko <al4321(_at_)gmail(_dot_)com>
wrote:
Hi all,
Assume DNS system added a new resource record (RR), which allowed to
publish the public key for a particular FQDN.
How secure or insecure that would be.
Is there a way to *securely* retrieve such information from, for
example, authoritative
DNS server, without any middlebox (such as DNS proxy) mangling it ?
And having TLD DNS servers as the top "Root Certificate Authorities".
so X.509 SSL certificate chain could look like:
- "."
+- ".com."
|--+ "company_abc.com."
|-----+ "www.company_abc.com."
|-----+ "mail.company_abc.com."
|-----+ "ftps.company_abc.com."
etc...
I am not yet sure if this is possible or not, just loud thinking...
In theory, if possible, this should simplify certifications and make
it easier to start an HTTPS server, cutting Verisign and friends out
of the loop.
What do you think ?
VeriSign Inc. has been out of that loop for 5 years. Their current
business is running core DNS.
One of the issues people don't seem to consider in these schemes is
that merely reducing the number of trusted intermediaries from ~40 to
one doesn't actually remove reliance on trusted third parties, it
merely removes all choice in the matter.