0

Why we need trusted third party to sign our public key to be trusted? we can publish it via DNS and it will be trusted. Isn't like that work DKIM? Why we don't do same thing for HTTPS?

hamou92
  • 103
  • 1

2 Answers2

3

DNS itself is not secure. DNS allows for relaying, so any DNS server that is in the path that a client uses to resolve the domain could lie, or the DNS request itself could be attacked via a MITM. DNSSEC attempts to correct some of this by signing DNS records so that only the owner of a domain can post DNS records authoritatively, but that only works if a) the DNS servers use DNSSEC and b) the attacker isn't able to attack in such a way that the domain is processed as if it didn't have DNSSEC.

Additionally, even if DNS was secure, third party SSL signing serves a different purpose for trust. A CA's signature on a certificate means that someone other than the person issuing the cert has verified the details. If I go to mybankphishingsite.com I don't know if they are actually my bank or not. If they just post a certificate on their DNS (which they rightly control as they registered the domain) then they could say they are My Bank Corp. With a CA signing the cert however, the details have to be verified.

When they ask for a cert that says they are My Bank Corp, they have to provide documentation that they actually are My Bank Corp, so mybankphishingsite.com can't get a cert that says they are My Bank Corp, but myactualbank.com can get one. This lets me, as a user, know that I can trust myactualbank.com because a trusted third party has verified who they are.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
2

If I run my own DNS server I would be able forge any public key for any domain without the final client noticing anything.

Y04NN
  • 21
  • 1