On 7/09/13 10:15 AM, Gregory Perry wrote:

Correct me if I am wrong, but in my humble opinion the original intent
of the DNSSEC framework was to provide for cryptographic authenticity
of the Domain Name Service, not for confidentiality (although that
would have been a bonus).

If so, then the domain owner can deliver a public key with authenticity using the DNS. This strikes a deathblow to the CA industry. This threat is enough for CAs to spend a significant amount of money slowing down its development [0].

How much more obvious does it get [1] ?


[0] If one is a finance geek, one can even calculate how much money the opponents are willing to spend. [1] As an aside, NSA/DoD have invested significant capital in the PKI as well. Sufficient that they will be well aligned with the CA mission, and sufficient that they will approve of any effort to keep the CAs in business. But this part is far less obvious.
The cryptography mailing list

Reply via email to