[SSL Observatory] SSL CA compromise in the wild
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Mar 23 09:46:25 PDT 2011
On 03/23/2011 12:32 PM, Ludwig Nussel wrote:
> The domain registry could simply issue the certificate at the same
> time it assigns the domain name.
Your proposal doesn't address hosts within the zone -- it only addresses
the top label in zone.
I believe the proposal that seems likely to proceed for
X.509-certs-in-DNS is DANE:
https://tools.ietf.org/html/draft-ietf-dane-protocol
of course, the end points would need fully-verified DNSSEC for this to
provide an authenticated proof of DNS identity.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/observatory/attachments/20110323/12eec891/attachment.sig>
More information about the Observatory
mailing list