[deathanatos]

> A DS record doesn't indicate a connection between an organization and a domain though, which a traditional CA supposedly might.

Only if you get an EV certificate, no? My understanding is that the only checks required for getting a normal certificate issued is to verify that the person holding the key that you're signing is in control of the domain. (Verified through methods such as setting particular DNS records, proving control of the email on the WHOIS data, or setting up an HTTP server at a particular DNS address.)

Then again, most sites just use a basic cert, so perhaps DNSSEC provides most of what is needed.

[toast0]

Some of the certificates I've purchased have involved verifying some details of the organization, even though they weren't EV. I believe we needed a Dun and Bradstreet number when I got a certificate from Thawte in the late 90s (although I might be misremembering, something at that company needed that number...). And a more recent issuance wanted some other proof of existence / location, they had asked for a lease/utility bill, but issued with our location found in a state corporation database, before I could get a copy of something they would accept. I won't disclose the issuer of the recent cert, but I would put them in the top tier of reputation (and prices).

I would hope an EV process would do a better verification, but I've never needed an EV cert, so I don't know.

DNSSEC is sort of like verifying to everyone that you control the DNS, near the time of use, as opposed to just verifying to a CA at time of issuance. Or in other words, if it's OK for a CA to trust DNS, letting everyone else trust it would be good too.

At least the concept is right, 1024-bit rsa keys are kind of scary. And DNSSEC doesn't address confidentiality, but TLS with SNI also leaks hostnames.