On 4/11/21 8:59 AM, Viktor Dukhovni wrote:
On Sun, Apr 11, 2021 at 03:34:06PM +0100, Ben Laurie wrote:
What I mean is that the authorities for DNS get compromised far more often
than CAs do.
But any compromise of a registrant, registrar or registry also
compromises CA certificate issuance. The CAs are redundant so
long as the attestation they're performing is "domain control".
Also: this seems highly suspect as there are a plethora of companies
that offer both domain and certificate services. I find it pretty
questionable that they would be competent on the CA front and
incompetent on the DNS front. It doesn't do me any good to have a CA
cert when nobody can route to it after all.
Mike
