[cryptography] FW: Request - PKI/CA History Lesson - the definition of trust

John Levine johnl at iecc.com
Mon May 5 15:58:24 EDT 2014


>You're right yes ( I did forget :), but if a DNS can somehow guarantee a
>correct "hostname->IPAddress" mapping, then it can also guarantee a correct
>"hostname->public key" ( or self signed certificate) mapping. WebServers
>would present a self-signed certificate with the public key to HTTPS(TLS)
>clients, and the client side PKIX chain validation would need to be modified
>to validate the public key matches that which is in the DNS.

You're not the first person to think of this idea, and might want to
read RFCs 6698 and 6394.

R's,
John


More information about the cryptography mailing list