I know that many feel strongly that the web’s trust system should somehow move into DNS.
I think the first questions to ponder are: What is it that is wrong with the current WebPKI? (As it is in 2025, not as it was in 1999.) What would actually become better if we tried to move all of this into DNS?
Ponder this: Why do we place the “trust handling” in the application layer? (HTTP with TLS.) Why not in the IP layer?
- "I want to connect to IP X"
- What IP X is is defined by your ISP. You can probably have a trust model here (ISP X cannot reassign IPs from ISP Y) but people don't usually dial IPs like phone numbers, and if they are, then just get them to dial a public key (only 4x longer!) and you're
- done
- future proof if the IP changes
- Whereas DNS is about names.
- Part of that is name to IP, but many names can map to one IP and vice versa, and IPs change
- Really it's about names for agents, who have a key
- So DNS solves the problem of mapping human readable name => ephemeral agent ID
- How do I trust that it's the right agent though?
- I need cryptography! But it's exactly the same situation I want from DNS, except that here I only trust the root server.
I think the first questions to ponder are: What is it that is wrong with the current WebPKI? (As it is in 2025, not as it was in 1999.) What would actually become better if we tried to move all of this into DNS?
Ponder this: Why do we place the “trust handling” in the application layer? (HTTP with TLS.) Why not in the IP layer?