[Discuss] free SSL certs from the EFF

[Matthew Gillen]

Related to the discussion of how X509 is broken and various hacks to 
make it work:
What I would really like to see is a scheme adopted like SPF for mail: a 
TXT DNS entry for your domain that has the CA (or a fingerprint for the 
CA, or maybe the whole public cert).  That way you can be unequivocal 
about who the valid CA for your domain is.

To me that would solve the biggest problem with the "set of 'trusted' 
CAs" issue.

This is not without new attack vectors: you can only trust DNS responses 
as far as DNS-SEC goes, which unfortunately ends one-hop before 
end-systems (unless you run your own DNS server and force everything on 
your home network to use that; which I do but don't know how common that 
is).

Matt