The sovereign keys proposal, is to ensure that a website can only have
one key at at time - so that the bad guys cannot get a another
certificate for the same website from some highly cooperative or highly
incompetent certificate authority.
The proposed system seems to me overly complex and not fully thought
through.
DNSSEC is intended to enable someone to securely get from a domain name
to a network address, which network address is supplied by the domain
holder, and may change quite frequently.
I suggest DNSEC also serve up the hash of the public key for that domain
when it securely serves up the domain name, and allow the owner of the
domain to supply that hash from time to time, just as he supplies the
network address from time to time.
This would require no new infrastructure, no new institutions, no new
procedures, and no additional network round trips. (Of course it would
also require DNSEC to actually work in a useful fashion.)
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography