Thomas Voegtlin [ARCHIVE] on Nostr: ๐ Original date posted:2015-07-14 ๐ Original message:Le 14/07/2015 13:19, Milly ...
๐
Original date posted:2015-07-14
๐ Original message:Le 14/07/2015 13:19, Milly Bitcoin a รฉcrit :
>
>> If your email account is hacked and someone else gets a certificate in
>> your name, you'd be unable to *know* about it, because they would use a
>> different CA.
>
> Maybe I am confused but I thought you are using DNSSEC to sign the zones
> so only the domain owner could issue certificates for a zone (or
> corresponding email address). If you have "example.com" the domain
> owner of the domain would sign zone "joe.example.com" which can
> correspond to the "joe at example.com" email address. Under this scenario
> you would only have one CA per domain.
>
One CA per domain is indeed what I want to achieve. The paragraph you
quoted was about the current situation with email certs, where that is
not the case.
๐ Original message:Le 14/07/2015 13:19, Milly Bitcoin a รฉcrit :
>
>> If your email account is hacked and someone else gets a certificate in
>> your name, you'd be unable to *know* about it, because they would use a
>> different CA.
>
> Maybe I am confused but I thought you are using DNSSEC to sign the zones
> so only the domain owner could issue certificates for a zone (or
> corresponding email address). If you have "example.com" the domain
> owner of the domain would sign zone "joe.example.com" which can
> correspond to the "joe at example.com" email address. Under this scenario
> you would only have one CA per domain.
>
One CA per domain is indeed what I want to achieve. The paragraph you
quoted was about the current situation with email certs, where that is
not the case.