Related to the discussion of how X509 is broken and various hacks to
make it work:
What I would really like to see is a scheme adopted like SPF for mail: a
TXT DNS entry for your domain that has the CA (or a fingerprint for the
CA, or maybe the whole public cert). That way you can be unequivocal
about who the valid CA for your domain is.
To me that would solve the biggest problem with the "set of 'trusted'
CAs" issue.
This is not without new attack vectors: you can only trust DNS responses
as far as DNS-SEC goes, which unfortunately ends one-hop before
end-systems (unless you run your own DNS server and force everything on
your home network to use that; which I do but don't know how common that
is).
Matt
_______________________________________________
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss
