On Sat, Dec 26, 2015 at 3:22 PM, Alexey Eromenko <al4321@xxxxxxxxx> wrote: > Hi all, > > Assume DNS system added a new resource record (RR), which allowed to > publish the public key for a particular FQDN. > > How secure or insecure that would be. > > Is there a way to *securely* retrieve such information from, for > example, authoritative > DNS server, without any middlebox (such as DNS proxy) mangling it ? > > And having TLD DNS servers as the top "Root Certificate Authorities". > > so X.509 SSL certificate chain could look like: > > - "." > +- ".com." > |--+ "company_abc.com." > |-----+ "www.company_abc.com." > |-----+ "mail.company_abc.com." > |-----+ "ftps.company_abc.com." > etc... > > I am not yet sure if this is possible or not, just loud thinking... > In theory, if possible, this should simplify certifications and make > it easier to start an HTTPS server, cutting Verisign and friends out > of the loop. > > What do you think ? VeriSign Inc. has been out of that loop for 5 years. Their current business is running core DNS. One of the issues people don't seem to consider in these schemes is that merely reducing the number of trusted intermediaries from ~40 to one doesn't actually remove reliance on trusted third parties, it merely removes all choice in the matter.