Re: Browser security warning

Stuart E. Schechter wrote:
>    I absolutely don't think commercial CAs are the only viable solution.  If
> I bought my domain name for $10/year, I'm not terribly keen on paying again
> for the cryptographic receipt that says I own it.

Good. So we agree that there are times when using a commercial CA
isn't the right way to go about offering secure connections to your
site. If the group think recommending anonymous D-H ciphersuites
is better than self-signed RSA certs, for those cases, then that might
be a way to go, though I've no clue whether or not there are interop
problems that way.

>    IETF RFC 4398 provide a mechanism with which to use DNSSEC to
> authenticate a site certificate using DNSSEC.  No commercial CA needed.

DNSSEC would be a great thing to have. Pity we don't.

And while there are a few proposals for putting security stuff into
DNS, those are all controversial. I do agree though that its an avenue
that's worth  pursuing, but just not here (since that'd be a new
protocol). One example currently bothering me is SSP - in the IETF
DKIM WG, and I know that Phill has ideas that whatever we do about
SSP there should be general enough to work for other protocols and
not just SMTP.

S.

Received on Thursday, 28 December 2006 15:18:21 UTC