User: Password:
Subscribe / Log in / New account

DNSSEC PKI alternative

DNSSEC PKI alternative

Posted Mar 31, 2011 15:08 UTC (Thu) by copsewood (subscriber, #199)
Parent article: Fallout from the fraudulent SSL certificates

At the moment it seems with HTTPS as currently implemented, the primary trust for most people and purposes is the choice of browser and the trusted CA certs which are packaged by Mozilla or Microsoft. HTTPS validation is a binary 1 or 0, but for identity trust to be useful in some contexts this could more usefully be graduated. I think the PKI which DNSSEC will build may be used in a similar way in practice, but I suspect that for some applications with specific client software, it will also become possible to weight trust anchors based upon registry reputation. So for example, if a future TLD registry called .bank implements much more rigorous checks over subdomains such as, then financial applications or plugins might indicate and take other actions based upon a higher trust level than over financial organisations within .com where cheaper identity verifications are exercised.

DNSSEC will come with the advantage that domain registrations and rollovers automatically come with a somewhat more flexible certificate allowing for signed and delegated subdomain zones, but not all trust anchors will be inherently equal in security, integrity, reliability or reputation.

(Log in to post comments)

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds