DNSSEC and SSL

Jakob Schlyter jakob at kirei.se
Sun Aug 22 09:46:41 UTC 2010


On 22 aug 2010, at 03.00, ML wrote:

> Would a future with a ubiquitous DNSSEC deployment eliminate the market
> for commercial CAs?
> 
> Would functioning DNSSEC + self signed certs be more secure/trustworthy
> than our current system of trusted CAs chosen by OS/browser developers?

For DV (domain validation) certificates one can definitely make that claim, but for EV (extended validation) I would see certificate validation in DNSSEC as a complement to EV.

DNSSEC and EV together looks like a promising combination.

Disclaimer: I am co-author of http://tools.ietf.org/html/draft-hoffman-keys-linkage-from-dns-00 (work in progress, see http://www.ietf.org/mailman/listinfo/keyassure for more information).


	jakob





More information about the NANOG mailing list