Revocation Lists and the Future of X.509

Geoff Huston from APNIC talked at the RIPE 84 about certificate revocation as a “sanction”. He concludes that the certificate infrastructure is not working, and instead suggests DNS is the answer. You can put keys in the DNS and use TTL to control the caching lag of the information.


How do you see it? What conclusions should we draw from this at CAcert? Write your comment below!

2 thoughts on “Revocation Lists and the Future of X.509

  1. dirk astrath

    Interesting Talk, thanks for sharing …

    In generall we need to differ between TLS (used for servers) and S/MIME (used for signing/encrypting mails/data/texts).

    In his talk only TLS-connections (and possible revocation-functionalities) are mentioned, but he didn’t talk about S/MIME, which requires different ways to validate the status of a certificate.

    From CAcert-site we’re currently offering CRL and OCP-services for all of our certificates … in the future we may (in my personal eyes: should) use different sub-roots (Class3) for TLS, S/MIME and other services/purposes to allow the most perfect validation of a certificate per sub-root.

  2. Bachsau

    I think that not supporting DANE is a deliberate decission by Mozilla and Google to maintain and excercise their power over the internet. They want to dictate who can be trusted, and, by enforcing HTTPS, who will be allowed to publicize at all.

Leave a Reply