I.e. instead of a set of trusted CAs there will be one distributed net of servers, that act as a cert storage? I do not see how that could help... More lines of defense on top of the CA model. Consider instead of abandoning the CA model altogether, you utilize DNSSEC binding of the certificate
On Mon, Sep 12, 2011 at 6:23 AM, Gregory Edigarov <greg@bestnet.kharkov.ua> wrote: that must also be signed by a CA. If _either_ the DNSSEC record isn't present, doesn't validate, OR the certificate is not properly signed by a CA, then the certificate is considered invalid. In this manner, DNSSEC protects you against interception by a rogue CA -- chances are the rogue CA has not also discovered your DNSSEC secret keys, and the CA signature protects you against a compromise of the DNS, or an attack by your domain registrar -- your domain registrar is probably not a CA and doesn't have the right paperwork, therefore can't get a CA signed certificate with your company's name. The browsers then just need to revise their trust model to require no CA be affiliated with or owned by any organization affiliated with a provider of domain registration or DNS hosting services, to ensure there's no domain registrar entrusted to sign certs, and no CA entrusted to maintain DNSSEC data. -- -JH