Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

Martin Millnert millnert at gmail.com
Mon Sep 12 10:12:08 UTC 2011


On Sun, Sep 11, 2011 at 8:44 PM, Mike Jones <mike at mikejones.in> wrote:
> It will take a while to get updated browsers rolled out to enough
> users for it do be practical to start using DNS based self-signed
> certificated instead of CA-Signed certificates, so why don't any
> browsers have support yet? are any of them working on it?

Chrome v 14 works with DNS stapled certificates, sort of a hack. (
http://www.imperialviolet.org/2011/06/16/dnssecchrome.html )

There are other proposals/ideas out there, completely different to
DANE / DNSSEC, like http://perspectives-project.org/ /
http://convergence.io/ .


More information about the NANOG mailing list