Hello Kyle Hamilton wrote: > Maybe a TXT record or recordset with the AKIDs that it authorizes to > sign things in that domain? I suppose you mean TXT records in the DNS. (Excuse me for my ignorance but what is an AKID?)
TXT records in the DNS may be a moderately useful way of restricting the set of root certificates that the rest of the world should consider trustworthy for communication with a certain domain. While this scheme might increase security somewhat, it does in no way guarantee security, because it would easily fall to DNS poisoning. I do not see how TXT records containing any information would remove the need for a root CA which, and only which, is explicitely authorized locally at the client to sign certificates (or TXT records, whatever) for a specific domain. Regards, Balint Balogh _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
