On 02/06/2011 07:11 PM, From Zack Weinberg:
I'm going to ask you the same question I asked Nelson: In a hypothetical world where DNSSEC+TLSA completely supersedes DV (but people still use OV/EV for high-value sites) what do you see as having been lost? Or, turning it around, what value do you see DV signatures from CAs as providing over and above that provided by DNSSEC+TLSA?
One of the points to consider is anti-phishing and flagging features built into CAs systems (not all, but some). Ability to revoke certificates by a responsible third party is however probably a strong point in favor for CA issued certificates, CA provided warranties on top yet another. There is certainly more into what CAs do, provide and stand for besides the mere "point to point authentication".
I see a value in DV like IV/OV provide others. It all depends on the intended purpose. I believe in using the added capabilities of DNSSEC for CA issued certificates once it gets to adopted to a usable level, I don't believe that "just keys" in DNS can provide something that third parties can rely on (also entirely from a technical point of view). And having a CA take responsibility is obviously not only a technical solution to a certain problem.
-- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP: start...@startcom.org Blog: http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
