nanog mailing list archives

Re: DNSSEC and SSL

From: Gary Buhrmaster <gary.buhrmaster () gmail com>
Date: Sat, 21 Aug 2010 18:46:39 -0700

On Sat, Aug 21, 2010 at 18:00, ML <ml () kenweb org> wrote:

Would a future with a ubiquitous DNSSEC deployment eliminate the market
for commercial CAs?

Would functioning DNSSEC + self signed certs be more secure/trustworthy
than our current system of trusted CAs chosen by OS/browser developers?


See Dan Kaminski's presentation at this years BlackHat & Defcon
for a proposal, and the prototype "glue" that provides a proof of
concept.  http://www.recursion.com/talks.html (I seem to recall
the X.509/CA part starts about 3/4 of the way through the deck).

That said, Dan does not suggest that everything a CA does
is obsolete, there will still be a market for making sure that
BankOfAmerica.com really is the bank you want to do
business with (branding).

Current thread:

DNSSEC and SSL ML (Aug 21)
- Re: DNSSEC and SSL Gary Buhrmaster (Aug 21)
- Re: DNSSEC and SSL Mikael Abrahamsson (Aug 21)
  - Re: DNSSEC and SSL ML (Aug 22)
    - Re: DNSSEC and SSL Mans Nilsson (Aug 22)
    - Re: DNSSEC and SSL bmanning (Aug 22)
    - Re: DNSSEC and SSL Wes Hardaker (Aug 23)
    - Re: DNSSEC and SSL Tony Finch (Aug 23)
    - Re: DNSSEC and SSL Curtis Maurand (Aug 23)
    - Re: DNSSEC and SSL Doug Barton (Aug 23)
    - Re: DNSSEC and SSL bmanning (Aug 22)
    - Re: DNSSEC and SSL Tony Finch (Aug 23)

(Thread continues...)