Re: Using DNS system as a Global Root Certificate Authority - possible ?
2015-12-27 00:35:59On 27 Dec 2015, at 4:11, John C Klensin wrote:
At that point, the number of trusted intermediaries gets back toward order 40 or 100, not one, unless the question is "do you control this domain" rather than "are you who you say you are".
It is not that bad as the domain in question is bound to one and only one registrar, which is a mapping that the registry is keeping track of. It is not the case that any registrar can do any change to any domain name. So, with todays CA system, any CA can sign a cert with any domain name in the CN. With the DNS and DNSSEC, only registries in the hierarchy from the root can publish the DS, and only one registrar can pass the DS to the parent for publication. Patrik
signature.asc
Description: OpenPGP digital signature
| Previous by Date: | Re: Using DNS system as a Global Root Certificate Authority - possible ?, Viktor Dukhovni |
|---|---|
| Next by Date: | Re: Using DNS system as a Global Root Certificate Authority - possible ?, Eliot Lear |
| Previous by Thread: | Re: Using DNS system as a Global Root Certificate Authority - possible ?, Masataka Ohta |
| Next by Thread: | Re: Using DNS system as a Global Root Certificate Authority - possible ?, Eliot Lear |
| Indexes: | [Date] [Thread] [Top] [All Lists] |