Gregory, On Mon, Sep 12, 2011 at 1:23 PM, Gregory Edigarov <g...@bestnet.kharkov.ua> wrote: > On Mon, 12 Sep 2011 12:12:08 +0200 > Martin Millnert <milln...@gmail.com> wrote: > >> Mike, >> >> On Sun, Sep 11, 2011 at 8:44 PM, Mike Jones <m...@mikejones.in> wrote: >> > It will take a while to get updated browsers rolled out to enough >> > users for it do be practical to start using DNS based self-signed >> > certificated instead of CA-Signed certificates, so why don't any >> > browsers have support yet? are any of them working on it? >> >> Chrome v 14 works with DNS stapled certificates, sort of a hack. ( >> http://www.imperialviolet.org/2011/06/16/dnssecchrome.html ) >> >> There are other proposals/ideas out there, completely different to >> DANE / DNSSEC, like http://perspectives-project.org/ / >> http://convergence.io/ . > > I.e. instead of a set of trusted CAs there will be one distributed net > of servers, that act as a cert storage? > I do not see how that could help... > Well, I do not even see how can one trust any certificate that is > issued by commercial organization.
As I understand it the idea is that you would have the power/capability to assign trust yourself to friends, CAs and your cat. This then forms some form of (washed out word-warning) web of trust, when you connect up with others and get their one-step-away-trust imported. Outsourcing trust is a pretty hard problem... there's no way to get around it, really, so this approach (as per my limited research) at least gives you some power to control it. Regards, Martin
