| |||||||||||
CERT recordsCERT recordsPosted Jan 13, 2007 17:26 UTC (Sat) by weasel (subscriber, #6031)Parent article: Handicapping New DNS Extensions and Applications (O'ReillyNet)
What I would really like to see is SSL (x509) certificates or better just their fingerprint in DNS, and browsers (and other programs like your jabber client, MUA, etc.) making use of it.
Maybe something like
In the absense of such a CERT record clients would behave the same as now, that is do their CA verification dance and all.
If a CERT record is found but the fingerprint does not match the certificate a warning should be issued.
If a CERT record is found and we do not have a trusted (DNSSEC signed) answer then we still do the CA thing, but whether that fails or not we can still inform the user of what we found.
And last and most importantly, when we have a trusted CERT record and it matches we can just accept the certificate, even if it is signed by a CA we do not recognize or even if it is just self signed.
--
(Log in to post comments)
CERT records Posted Jan 13, 2007 17:50 UTC (Sat) by micha (guest, #42747) [Link] Peter wrote: "And last and most importantly, when we have a trusted CERT record and it matches we can just accept the certificate, even if it is signed by a CA we do not recognize or even if it is just self signed."
But what would be the downsides? Wouldn't it make easier for phishers to fool the innocent users by providing a fully accepted SSL certificate by simply a CERT record? You would require the users to trust the DNS even more, but spammers and phishers currently have no problem to register domains on the fly and will have no problem to manage their DNS.
I don't know whether DNS can bear this burden of trust.
Micha
|
|||||||||||