On Wed, Apr 09, 2014 at 04:15:53PM -0400, Steve Crocker wrote: > My own opinion is related but not identical. I agree solutions 1 > and 3 are failures; 1 doesn’t provide the trust and 3 doesn’t scale. > Solution 2 is also problematic because the government tends to > overreach and there isn’t a single government. > > DNSSEC provides a base platform to build upon. It doesn’t claim to > provide the level of trust the CA system tried to provide. That’s a > key strength, not a weakness. DNSSEC basically has the same properties as the "race to the bottom certifying authorities" model, except it's a "race to the bottom of the DNS registraries" --- and some cases, the same company runs both a CA and a DNS registry. "Meet the new boss, same as the old boss".... So if you're willing to disclaim the amount of trust that the CA system purports to provide, it's really a question of "IPSEC" vs "TLS" --- i.e., at which layer of the stack you are applying the protection. Cheers, - Ted