Reply to post: Re: revoked cert

Hawk like an Egyptian: Google is HOPPING MAD over fake SSL certs

John Robson Silver badge

Re: revoked cert

Yes, I *can* come up with a better solution.

I have suggested it here on a number of occasions, and it's generally not badly received...

SSL certs should be pulled down as a DNS record, with the DNS record secured by DNSSEC.

DNSSEC already has lookaside validation, and if the root cert was compromised then the whole world would be shouting about it...

I suggest that each browser company runs their own lookaside validation server as a default lookaside option in their browser (since you explicitly trust them anyway) and allows you to use others if you want to.

This also provides a nice way to distribute SSH host certs etc...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019