On Sun, Aug 22, 2010 at 11:51:01AM -0400, Anne & Lynn Wheeler wrote:
> On 08/22/2010 06:56 AM, Jakob Schlyter wrote:
> >There are a lot of work going on in this area, including how to use secure 
> >DNS to
> >associate the key that appears in a TLS server's certificate with the the 
> >intended
> >domain name [1]. Adding HSTS to this mix does make sense and is something 
> >that is
> >discussed, e.g. on the keyassure mailing list [2].
> 
> There is large vested interested in Certification Authority industry
> selling SSL domain name certificates. A secure DNS scenario is having
> a public key registered at the time the domain name is registered ...
> and then a different kind of TLS ... where the public key is returned
> in piggy-back with the domain name to ip-address mapping response.


        for the conservative - they may want to verify the DNSSEC
        trust chains for both the domain name and the IP address.

        e.g. is it the same EV cert at the end of both validation
        checks.

--bill

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to