On Sun, Apr 11, 2021 at 03:34:06PM +0100, Ben Laurie wrote: > What I mean is that the authorities for DNS get compromised far more often > than CAs do. Also, DNS has the same plethora of authorities with varying > security responsibility. When a registrar/registry gets compromised, it can issue credentials only for things in and below its zone(s). Customers can choose registrars known for security. When a WebPKI CA gets compromised, it can issue credentials for any domainname anywhere in the DNS. Customers can't choose to make lame CAs not able to hurt them. This is because one system has unyiedling name constraints, and the other has none. Name constraints are absolutely essential to a decent PKI. Nico --
