- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Thu, 28 Dec 2006 15:19:09 +0000
- To: "Stuart E. Schechter" <ses@ll.mit.edu>
- CC: public-wsc-wg@w3.org
Stuart E. Schechter wrote: > I absolutely don't think commercial CAs are the only viable solution. If > I bought my domain name for $10/year, I'm not terribly keen on paying again > for the cryptographic receipt that says I own it. Good. So we agree that there are times when using a commercial CA isn't the right way to go about offering secure connections to your site. If the group think recommending anonymous D-H ciphersuites is better than self-signed RSA certs, for those cases, then that might be a way to go, though I've no clue whether or not there are interop problems that way. > IETF RFC 4398 provide a mechanism with which to use DNSSEC to > authenticate a site certificate using DNSSEC. No commercial CA needed. DNSSEC would be a great thing to have. Pity we don't. And while there are a few proposals for putting security stuff into DNS, those are all controversial. I do agree though that its an avenue that's worth pursuing, but just not here (since that'd be a new protocol). One example currently bothering me is SSP - in the IETF DKIM WG, and I know that Phill has ideas that whatever we do about SSP there should be general enough to work for other protocols and not just SMTP. S.
Received on Thursday, 28 December 2006 15:18:21 UTC