Last reply, I promise... On 02/12/2011 12:50 AM, From Stephen Schultze:
Today's DV CAs already rely on a self-assertion of domain control, and they in turn assert that they observed this. In plain english, a DV cert says, "The guy holding the corresponding private key asserted that he controls the domain in question by replying to an email address at the domain in question." It is a self-assertion via DNS.
With the difference that he had to jump through the validation procedure of the CA and the CA has control over the to-be issued certificate properties and revocation thereof.
Cryptographic validation of this self-assertion is precisely what signed DNS enables, and DANE is the mechanism for doing so.
The authentication of the DNS is very strong indeed, that's why CAs should use it if it becomes adopted to a reasonable level (and CAs might opt to require it too).
The only thing you are accomplishing is establishing potential liability for yourself if someone can show that they suffered harm after reasonably relying on a cert that you didn't effectively police as you promised.
Thank you for your concern, but why should we police our own policy differently in first place?
-- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP: start...@startcom.org Blog: http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
