Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

[Tony Finch <dot () dotat at>]

Mike Jones <mike () mikejones in> wrote:
> DNSSEC deployment is advanced enough now to do that automatically at the
> client.

Sadly not quite. DNSSEC does have the potential to provide an alternative
public key infrastructure, and I'm keen to see that happen. But although
it works well between authoritative servers and recursive resolvers, there
are a lot of shitty DNS forwardersin CPE and captive portals and so on
which do not understand DNSSEC. And DNSSEC does not work unless all the
forwarders and recursors that you are using support it. So DNSSEC on the
client has a long way to go.

Tony.
-- 
f.anthony.n.finch  <dot () dotat at>  http://dotat.at/
Hebrides, Southeast Bailey: Westerly 5 to 7 until later in south Hebrides,
otherwise northwesterly 3 or 4, increasing 5 to 7. Rough or very rough,
occasionally high in south Hebrides. Rain or showers. Good, occasionally
poor.