22 Aug
2010
22 Aug
'10
5:46 a.m.
On 22 aug 2010, at 03.00, ML wrote:
Would a future with a ubiquitous DNSSEC deployment eliminate the market for commercial CAs?
Would functioning DNSSEC + self signed certs be more secure/trustworthy than our current system of trusted CAs chosen by OS/browser developers?
For DV (domain validation) certificates one can definitely make that claim, but for EV (extended validation) I would see certificate validation in DNSSEC as a complement to EV. DNSSEC and EV together looks like a promising combination. Disclaimer: I am co-author of http://tools.ietf.org/html/draft-hoffman-keys-linkage-from-dns-00 (work in progress, see http://www.ietf.org/mailman/listinfo/keyassure for more information). jakob