Why we need trusted third party to sign our public key to be trusted? we can publish it via DNS and it will be trusted. Isn't like that work DKIM? Why we don't do same thing for HTTPS?
2 Answers
DNS itself is not secure. DNS allows for relaying, so any DNS server that is in the path that a client uses to resolve the domain could lie, or the DNS request itself could be attacked via a MITM. DNSSEC attempts to correct some of this by signing DNS records so that only the owner of a domain can post DNS records authoritatively, but that only works if a) the DNS servers use DNSSEC and b) the attacker isn't able to attack in such a way that the domain is processed as if it didn't have DNSSEC.
Additionally, even if DNS was secure, third party SSL signing serves a different purpose for trust. A CA's signature on a certificate means that someone other than the person issuing the cert has verified the details. If I go to mybankphishingsite.com I don't know if they are actually my bank or not. If they just post a certificate on their DNS (which they rightly control as they registered the domain) then they could say they are My Bank Corp. With a CA signing the cert however, the details have to be verified.
When they ask for a cert that says they are My Bank Corp, they have to provide documentation that they actually are My Bank Corp, so mybankphishingsite.com can't get a cert that says they are My Bank Corp, but myactualbank.com can get one. This lets me, as a user, know that I can trust myactualbank.com because a trusted third party has verified who they are.
![](../../users/profiles/12578.webp)
- 41,816
- 5
- 63
- 110
If I run my own DNS server I would be able forge any public key for any domain without the final client noticing anything.
![](../../users/profiles/155301.webp)
- 21
- 1
-
I don't think so, can you forge any DKIM, SPF, A,... for any domain? – hamou92 Jul 26 '17 at 14:20
-
Yes, but only for people that trust you for DNS. I still think this is a problem - this would let ISPs (who most people use for DNS) or employers impersonate any website / read all traffic. – crovers Jul 26 '17 at 14:41
-
As well, this wouldn't work for EV certs. – crovers Jul 26 '17 at 14:41
-
@hamou92 If I own the DNS server you trust, then yes. – Y04NN Jul 26 '17 at 18:15