[cryptography] ssh-keys only and EKE for web too (Re: preventing protocol failings)

Ralph Holz holz at net.in.tum.de
Thu Jul 14 04:57:56 EDT 2011

Good day,

> This like designing a bicycle with three and half wheels.  Any
> restructuring that makes DNSSEC useful would make the CAs useless.  The
> goal of their design is not to make DNSSEC useful, but to make it useful
> in a fashion that does not harm the CA business model.

With one notable exception: at the current state, Keys-in-DNSSEC is only
for authentication of domains. They would replace the "domain-validated"
certs that CAs often issue (and I would guess it's their cash cow).

CAs could still issue their Extended Validation certs which identify the
organization behind the domain by a given trade name. There are not many
of these yet, though, presumably due to the pricing.

So, in summary, CAs would lose their cash cow, and most but not all of
them would probably become useless soon, indeed. Let's see how things
develop at Mozilla.


Dipl.-Inform. Ralph Holz
I8: Network Architectures and Services
Technische Universität München

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20110714/1e9157b4/attachment.asc>

More information about the cryptography mailing list