nanog mailing list archives

Re: DNSSEC and SSL

From: Mikael Abrahamsson <swmike () swm pp se>
Date: Sun, 22 Aug 2010 08:38:03 +0200 (CEST)

On Sat, 21 Aug 2010, ML wrote:

Would a future with a ubiquitous DNSSEC deployment eliminate the market
for commercial CAs?

No, but it might eliminate the cheapest certs that people might use. I'dlike my personal server to have a self-signed cert with it's fingerprinthandled via DNSSEC, because I don't want to pay a CA.

Would functioning DNSSEC + self signed certs be more secure/trustworthythan our current system of trusted CAs chosen by OS/browser developers?

No, because DNSSEC isn't secured all the way from the DNS server to theapplication, only to the resolver. Both systems have problems, I'd imaginethe best security is when they work together.


--
Mikael Abrahamsson    email: swmike () swm pp se

Current thread:

DNSSEC and SSL ML (Aug 21)
- Re: DNSSEC and SSL Gary Buhrmaster (Aug 21)
- Re: DNSSEC and SSL Mikael Abrahamsson (Aug 21)
  - Re: DNSSEC and SSL ML (Aug 22)
    - Re: DNSSEC and SSL Mans Nilsson (Aug 22)
    - Re: DNSSEC and SSL bmanning (Aug 22)
    - Re: DNSSEC and SSL Wes Hardaker (Aug 23)
    - Re: DNSSEC and SSL Tony Finch (Aug 23)
    - Re: DNSSEC and SSL Curtis Maurand (Aug 23)
    - Re: DNSSEC and SSL Doug Barton (Aug 23)
    - Re: DNSSEC and SSL bmanning (Aug 22)
    - Re: DNSSEC and SSL Tony Finch (Aug 23)
    - Re: DNSSEC and SSL Jakob Schlyter (Aug 23)

(Thread continues...)