Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

Randy Bush randy at psg.com
Mon Sep 12 10:12:24 CDT 2011

>> as eliot pointed out, to defeat dane as currently written, you would
>> have to compromise dnssec at the same time as you compromised the CA at
>> the same time as you ran the mitm.  i.e. it _adds_ dnssec assurance to
>> CA trust.
> Yes, I saw that. It also drives up complexity too and makes you wonder
> what the added value of those cert vendors is for the money you're
> forking over.  Especially when you consider the criticality of dns
> naming for everything except web site host names using tls. And how
> long would it be before browsers allowed
> self-signed-but-ok'ed-using-dnssec-protected-cert-hashes?


More information about the NANOG mailing list