Can We Fix SSL Certification?

Em Adespoton writes "At DEFCON this year, Moxie Marlinspike gave an excellent presentation showing how broken the current SSL certification model is and proposing a replacement. Naked Security adds to the issue, asking: does it even matter if you can trust your certificate notaries?"

Re:Distribute Certificates via DNS (using DNSSEC)?

[AceJohnny]

Moxie Marlinspike, the author of Convergence mentioned in TFA, addressed that very problem in a post. Long story short: a DNSSEC system would worsen the rigidity and centralization of the current CA system.

RFC 4398

[tepples]

The DNSSEC layer only verifies no one has altered the port 53 packets. [...] SSL layer encrypts the whole data stream.

Then use them together. Have each domain owner run his own CA and use an RFC 4398 resource record to put the certificate for that in DNS. If a TLS connection's certificate chain ends up at an untrusted certificate, the browser would fetch a CERT RR for the domain and treat the result as a domain-validated intermediate CA certificate signed by the DNSSEC root.