On 22 aug 2010, at 03.00, ML wrote: > Would a future with a ubiquitous DNSSEC deployment eliminate the market > for commercial CAs? > > Would functioning DNSSEC + self signed certs be more secure/trustworthy > than our current system of trusted CAs chosen by OS/browser developers?
For DV (domain validation) certificates one can definitely make that claim, but for EV (extended validation) I would see certificate validation in DNSSEC as a complement to EV. DNSSEC and EV together looks like a promising combination. Disclaimer: I am co-author of http://tools.ietf.org/html/draft-hoffman-keys-linkage-from-dns-00 (work in progress, see http://www.ietf.org/mailman/listinfo/keyassure for more information). jakob
