Hi all, Assume DNS system added a new resource record (RR), which allowed to publish the public key for a particular FQDN. How secure or insecure that would be. Is there a way to *securely* retrieve such information from, for example, authoritative DNS server, without any middlebox (such as DNS proxy) mangling it ? And having TLD DNS servers as the top "Root Certificate Authorities". so X.509 SSL certificate chain could look like: - "." +- ".com." |--+ "company_abc.com." |-----+ "www.company_abc.com." |-----+ "mail.company_abc.com." |-----+ "ftps.company_abc.com." etc... I am not yet sure if this is possible or not, just loud thinking... In theory, if possible, this should simplify certifications and make it easier to start an HTTPS server, cutting Verisign and friends out of the loop. What do you think ? -- -Alexey Eromenko "Technologov"