How to cut out the CA middleman

SSL certificates work on trust: end users trust their browsers, and browsers trust “certificate authorities” (CAs) like Gandi. But the chain goes one step further: the CA trusts DNS. When you buy an SSL certificate for from a CA like Gandi, Gandi verifies that you by challenging you to modify the DNS for that domain. The ultimate trusted authority is not the CA; it is the Domain Name System.

There is therefore a much simpler alternative to SSL certificates, which cuts out the CA middleman: have the browser consult DNS directly. The browser already consults DNS for the server’s IP; we would additionally have the browser ask DNS for a public key for that domain. It would run like this:

  1. Company buys from the .com registrar.
  2. Company generates keypair.
  3. Company puts public key in DNS under a TXT record (or some new PUBKEY record).
  4. Company puts private key on server.
  5. Company points’s A record to the server’s IP.
  6. User visits in browser.
  7. Browser asks DNS for the A record and PUBKEY record for
  8. Browser opens connection to the server, using server’s public key to establish shared secret.
  9. Browser and server communicate in a session.

Here, no Certificate Authorities are involved, but the user still has the same guarantees: it is talking in private to a server which is operated by the owner of

Tagged .

Similar posts

More by Jim

Want to build a fantastic product using LLMs? I work at Granola where we're building the future IDE for knowledge work. Come and work with us! Read more or get in touch!

This page copyright James Fisher 2017. Content is not associated with my employer. Found an error? Edit this page.