On 2009-01-05, at 15:18, Jason Uhlenkott wrote:
If we had DNSSEC, we could do away with SSL CAs entirely. The owner of each domain or host could publish a self-signed cert in a TXT RR,
... or even in a CERT RR, as I heard various clever people talking about in some virtual hallway the other day. <http://www.isi.edu/in-notes/rfc2538.txt >.
and the DNS chain of trust would be the only form of validation needed.
Joe