21 Aug
2010
21 Aug
'10
9:46 p.m.
On Sat, Aug 21, 2010 at 18:00, ML <ml@kenweb.org> wrote:
Would a future with a ubiquitous DNSSEC deployment eliminate the market for commercial CAs?
Would functioning DNSSEC + self signed certs be more secure/trustworthy than our current system of trusted CAs chosen by OS/browser developers?
See Dan Kaminski's presentation at this years BlackHat & Defcon for a proposal, and the prototype "glue" that provides a proof of concept. http://www.recursion.com/talks.html (I seem to recall the X.509/CA part starts about 3/4 of the way through the deck). That said, Dan does not suggest that everything a CA does is obsolete, there will still be a market for making sure that BankOfAmerica.com really is the bank you want to do business with (branding).