[jackweirdy]

I disagree with this completely. The CA Model is absolutely flawed, and this is just patching a flawed model. I'd love to see a push for [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Na...) - where you publish your public key in DNS. When doubled with DNSSEC, this means your IP address is irrefutably tied to your domain and so is your TLS public key.

[chopin]

DNSSEC has the problem that you rely on root certificates as well - which are ultimately controlled by state actors. Where this goes we know already.

[jackweirdy]

Well we have a hell of a lot more transparency about where that key is, who generated and has access to it. There's a video of the entire ceremony online somewhere, at the moment I can only find [this summary](https://www.youtube.com/watch?v=b9j-sfP9GUU)

[chopin]

My critique goes more in the direction of DNSSEC being a centralized infrastructure. I didn't mean that it is easily subverted but its possible, especially for an US state actor. Its definitely more transparent as SSL CA's for sure. However, for my communications I'd like rather rely on an infrastructure which is independent from centralized resources.

[mephux]

DANE is an interesting concept for sure. Not 100% viable in the short-term but going forward we need to start thinking of a better solution. It would still be cert based and just add a layer of complexity. The cert model works it's just controlled by the wrong people and lacks regulation.

[mephux]

True, we need a better way to control it. The wrong companies are becoming authorities for the wrong reasons. We at least need more transparency on the verification process. I would also like to see a public list of cert requests that failed the approval process. It could be interesting data for incident responders.

[sorbits]

Another alternative: http://en.wikipedia.org/wiki/Convergence_(SSL)

See Moxie Marlinspike’s talk from DEFCON 19 http://www.youtube.com/watch?v=pDmj_xe7EIQ