[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
- Subject: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
- From: greg at bestnet.kharkov.ua (Gregory Edigarov)
- Date: Mon, 12 Sep 2011 14:23:17 +0300
- In-reply-to: <CAHyNd14PWaAgB6t8e0Z3PWc-GhhjXyNOydtB=H0f-2bYaLJ83A@mail.gmail.com>
- References: <CAAAas8Fua4EbjwKs_wkrcyr1Y6TqXQYNOAC5VGANKmh3hNSfUA@mail.gmail.com> <CAHyNd14PWaAgB6t8e0Z3PWc-GhhjXyNOydtB=H0f-2bYaLJ83A@mail.gmail.com>
On Mon, 12 Sep 2011 12:12:08 +0200
Martin Millnert <millnert at gmail.com> wrote:
> Mike,
>
> On Sun, Sep 11, 2011 at 8:44 PM, Mike Jones <mike at mikejones.in> wrote:
> > It will take a while to get updated browsers rolled out to enough
> > users for it do be practical to start using DNS based self-signed
> > certificated instead of CA-Signed certificates, so why don't any
> > browsers have support yet? are any of them working on it?
>
> Chrome v 14 works with DNS stapled certificates, sort of a hack. (
> http://www.imperialviolet.org/2011/06/16/dnssecchrome.html )
>
> There are other proposals/ideas out there, completely different to
> DANE / DNSSEC, like http://perspectives-project.org/ /
> http://convergence.io/ .
I.e. instead of a set of trusted CAs there will be one distributed net
of servers, that act as a cert storage?
I do not see how that could help...
Well, I do not even see how can one trust any certificate that is
issued by commercial organization.
--
With best regards,
Gregory Edigarov