Agreed.. it's a shame that I can't just publish a public-key as part of a DNS en... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

tracker1 on March 17, 2015 | parent | context | favorite | on: The HTTPS-Only Standard

Agreed.. it's a shame that I can't just publish a public-key as part of a DNS entry for a domain, and as long as the DNS chain is secure (DNSSEC) then that key can be trusted.

M2Ys4U on March 17, 2015 [–]

DNSSEC is just replacing one set of roots (the CAs) with another (the root servers).

At least with CAs you can (theoretically) remove trust from a subset of them and things (mostly) keep working.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact