On Tue, May 24, 2011 at 7:42 AM, Tony Finch <[email protected]> wrote: >> But the trust only extends to trusting the records; you might be assured >> that the record you receive really is from example.org, for example, but >> there's no telling who example.org *is*. > > This is also true for most CA certificates since they are domain validated. > EV certs are expensive and relatively rare, and I expect they will suffer > a race to the bottom just like standard certs did.
The CA framework is imperfect, but xbosh depends on *both* that and DNSSEC, so it ends up with the sum of the weaknesses of both systems. > https://datatracker.ietf.org/wg/dane/ > > DANE also allows you to restrict which CAs are used to for certificate > validation, so you can protect yourself against rogue CAs. This is cute: it yanks the trust mechanism away from the CA framework, redirecting it to DNSSEC, by essentially allowing people to make DNSSEC their CA and disable the CA framework for their domain. (That's 3.3 in the use cases doc; I havn't looked at the protocol draft.) This does, in its way, deal with the additional-trust-anchor problem, by moving the source of trust to DNSSEC entirely. If this makes it to production, it seems like it could eventually kill off CA certificates entirely (the cheap domain-validated kind, at least). -- Glenn Maynard
