[Pdns-users] CERT RR?
lehmann at cnm.de
Tue Apr 11 10:52:06 UTC 2006
> Having been involved with PKI for the last 4 or so years, I highly doubt
> this will be the case, the guys coding bind have been pushing their PKI
> in DNS stuff for years and nothing is happening with it, nobody cares
> apart from marketing departments and how much money they can make from
I think the reality is somewhat different if you e.g. look to the
extensions of GnuPG that have been made recently. Signatures will become
very important as it is the only way to verify an identity. The lack of
S/MIME is, that it requires CAs to issue certs which does cost money and
is very centralised. On the other hand there is PGP which uses a
web-of-trust which doesn't really work, because in a company you don't
want your keys to be signed by external keys, but you want to build your
own hierarchical "web-of-trust" where you sysadmins must be able to
issue keys but they must be trusted by external parties without being
signed by 20 other keys to become trusted. Thats what DNS-CERT is
invented for: Keys are stored with the domain name so in a way you build
your own CAs which are verified by the CERT-record of the according
domain name. I also found a nice article that explains all this, but its
in German: http://www.heise.de/security/artikel/71726 Maybe you can
translate it with babelfish or find an English version.
> Yet, why is there only 250,000 SSL enabled sites? (Out of those, 21,000
> sites are self signed, and 85,000 are signed by unknown CAs)
> 150,000 "valid" SSL sites...
Thats a completely different story but I can explain it anyway: Certs
from CAs cost money, a lot of money. SSL is for encrypting sensitive
data and increases the load on the webservers. Whats the use of
encrypting non-sensitive data and paying for a cert if you are hosting
public information like news, pictures, your blog, personal homepage or
> On the other side of the coin how many sites are using SSH?
Sites? Not sites are using SSH but developers working on sites (and
besides that a can do a lot more with SSH than just updating your
homepage). I don't know anyone that is using the old telnet but everyone
is using SSH.
More information about the Pdns-users