In message <20090105201859.gc15...@ferrum.uhlenkott.net>, Jason Uhlenkott write s: > On Fri, Jan 02, 2009 at 15:33:05 -0600, Joe Greco wrote: > > This would seem to point out some critical shortcomings in the current SSL > > system; these shortcomings are not necessarily technological, but rather > > social/psychological. We need the ability for Tom, Dick, or Harry to be > > able to crank out a SSL cert with a minimum of fuss or cost; having to > > learn the complexities of SSL is itself a "fuss" which has significantly > > and negatively impacted Internet security. > > > > Somehow, we managed to figure out how to do this with PGP and keysigning, > > but it all fell apart (I can hear the "it doesn't scale" already) with SSL. > > If we had DNSSEC, we could do away with SSL CAs entirely. The owner > of each domain or host could publish a self-signed cert in a TXT RR, > and the DNS chain of trust would be the only form of validation needed. Or one could use the CERT to publish a cert :-)
Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
