On 08/22/2010 06:56 AM, Jakob Schlyter wrote:
There are a lot of work going on in this area, including how to use secure DNS to associate the key that appears in a TLS server's certificate with the the intended domain name [1]. Adding HSTS to this mix does make sense and is something that is discussed, e.g. on the keyassure mailing list [2].
There is large vested interested in Certification Authority industry selling SSL domain name certificates. A secure DNS scenario is having a public key registered at the time the domain name is registered ... and then a different kind of TLS ... where the public key is returned in piggy-back with the domain name to ip-address mapping response. This doesn't have the revenue infrastructure add-on that happened with the Certifcation Authority ... just is bundled as part of the existing DNS infrastructure. I've pontificated for years that it is catch-22 for the Certification Authority industry ... since there are aspects of improving the integrity of the DNS infrastructure i.e. Certification Authority industry is dependent on DNS ... aka The Certification Authority industry has to match the information from the SSL digital certificate applicant with the true owner of the domain name on file with the DNS infrastructure (among other things, requiring digitally signed communication that is authenticated with the onfile public key in the domain name infrastructure is a countermeasure to domain name hijacking ... which then cascades down the trust chain to hijackers applying for valid SSL domain name certificates). At 50k foot level, SSL domain name certificates were countermeasures to various perceived shortcomings in DNS integrity ... nearly any kind of improvements in DNS integrity contributes to reducing the motivation for SSL domain name certificates. Significantly improving integrity of DNS would eliminate all motivation for SSL domain name certificates. This would then adversely affect the revenue flow for the Certification Authority industry. I've also periodically claimed that OCSP appeared to be a (very rube-goldberg) response to my position that digital certificates (appended to every payment transaction) would actually set the state-of-the-art back 30-40 yrs (as opposed to their claims that appended digital certificates would bring payments into the modern era ... that was separate from the issue of the redundant and superfluous digital certificates representing a factor of 100 times payment transaction payload and processing bloat). Anything that appears to eliminate competition for paid-for SSL digital certificates and/or strengthen the position of Certification Authorities ... might be construed as having an industry profit motivation. -- virtualization experience starting Jan1968, online at home since Mar1970 --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
