And it's not just decentralizing trust, but also further centralizing it: Instead of a list of CAs you can trust/not trust, you tie everything back to the DNSSEC root keys and your TLDs master keys.
My idea for letting the trust being tied to the Root and TLD master keys was more in spirit of allowing people to have more say in SSL. The Internet is technically centralized to the IP and DNS namespace already so for me it seemed like the next step in the chain. While we centralize one part of the Internet we also open it up to allow for alternative root projects like OpenNIC to be able to establish community-based chains of trust.
Like I know one of the big problems with OpenNIC is nobody can really use SSL since if you trust a third party CA they can just sign for anybody without limits, and if you run both a DNS and CA service there then you have everything you would need to do large scale SSL interception in those cases :(
Readit News
And it's not just decentralizing trust, but also further centralizing it: Instead of a list of CAs you can trust/not trust, you tie everything back to the DNSSEC root keys and your TLDs master keys.
My idea for letting the trust being tied to the Root and TLD master keys was more in spirit of allowing people to have more say in SSL. The Internet is technically centralized to the IP and DNS namespace already so for me it seemed like the next step in the chain. While we centralize one part of the Internet we also open it up to allow for alternative root projects like OpenNIC to be able to establish community-based chains of trust.
Like I know one of the big problems with OpenNIC is nobody can really use SSL since if you trust a third party CA they can just sign for anybody without limits, and if you run both a DNS and CA service there then you have everything you would need to do large scale SSL interception in those cases :(