Hacker News new | ask | show | jobs
by vlovich123 481 days ago
I really wish that we would have the option to get rid of CAs and just use DNSSEC as the root of the chain of trust.
1 comments
zwp 481 days ago
Is it coming? I notice that OpenSSL now has support for raw public keys.

The spec (RFC 7250, "Using Raw Public Keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)") suggests DANE/DNSSEC as a mechanism to bind identities to public keys (section 6).

https://datatracker.ietf.org/doc/html/rfc7250

Will this really be simpler?

link
tptacek 480 days ago
It is not coming. Browsers are unlikely to support DANE (Chrome briefly did, and then pulled support, IIRC).
link
vlovich123 480 days ago
Simpler and faster I hope.
link
tptacek 480 days ago
In fact, the slowness and complexity of DANE is a big part of why it got pulled.
link