Why not get rid of all certificate authorities and all the special kind of SSL c

Question

Why not get rid of all certificate authorities and all the special kind of SSL certificates there are (extended validation etc. etc.) and instead just require anyone who wanted SSL to write their own self signed SSL certificate and then have them stored in DNS records.

Wouldn't that be easier then having to put trust in both 3rd party certificate authorities and in DNSSEC? Also then you could remove those security warnings given by browsers when using self signed certificates, I mean as long as your DNS wasn't poisoned then there wouldn't be a problem, also you have a huge number of choices when it comes to DNS providers which you don't have when it comes to certificate authorities trusted by common browsers.

Explanation / Answer

There is even a standard for this: DANE. And it is already in use with some sites, but currently mainly for SMTPS and not HTTPS.

But, it needs DNSSec to make sure that DNS lookups are not spoofed. Because otherwise a man-in-the-middle attacker could simply send its own certificate inside the DNS lookup. Unfortunately DNSSec is not widely used at the moment, so for now we have to live with the established PKI structure.

But once DNSSec is deployed deep enough DANE is a promising technology and you can use it to either use your own self-signed certificates or to have an additional trust path with the traditional CA based certificates.

Related Questions

Navigate

• Browse (All)
• Browse W
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.