On 9/12/11 4:32 PM, Jason Duerstock wrote: > Except that this just shifts the burden of trust on to DNSSEC, which > also necessitates a central authority of 'trust'. Unless there's an > explicitly more secure way of storing DNSSEC private keys, this just > moves the bullseye from CAs to DNSSEC signers.
I said "some", not all, of the responsibility. By adding an independent PKI there is an additional control put in place to confirm that in fact the signer is authorized to sign. Should one go as far as to remove CA caches from browsers altogether? Eliot
