>You're right yes ( I did forget :), but if a DNS can somehow guarantee a >correct "hostname->IPAddress" mapping, then it can also guarantee a correct >"hostname->public key" ( or self signed certificate) mapping. WebServers >would present a self-signed certificate with the public key to HTTPS(TLS) >clients, and the client side PKIX chain validation would need to be modified >to validate the public key matches that which is in the DNS.
You're not the first person to think of this idea, and might want to read RFCs 6698 and 6394. R's, John _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography