The IETF has chartered an active working group to standardize secure distribution of public keys for authentication over DNSSEC called DNS-based Authentication of Named Entities (DANE). This follows Dan Kaminsky's work and presentations on the Phreebird suite, a set of tools that enable authentication and federation of trust through DNSSEC. Kaminsky calls this Domain Key Infrastructure (DKI).

Using Phreebird, and eventually standards developed by DANE, domain name owners will be able to easily set up DNSSEC and publish public keys in DNS including self-signed certificates which can be validated through the root of trust established by DNSSEC. This may reduce the need for Public Key Infrastructure (PKI) certificate signing.

The primary flaw of the current PKI system is that any trusted CA (including subordinate CAs) can sign for any domain. A recent study by the Electronic Frontier Foundation (EFF) called SSL Observatory found that there are nearly 1,500 CA certificates trusted by Windows or Firefox. Failure or untrustworthiness of a single CA circumvents the security of all clients that trust that CA. Vulnerabilities have been identified in the past, including MD5 collisions and the Debian OpenSSL bug.

With DKI there is a one to one relationship between domain name and certificate, which avoids the any issuer to any domain flaw of PKI. However, with DKI only the domain is validated so additional details often contained in certificates such as organization name would not be authenticated. This leaves an opening for existing Public Key Infrastructure providers to continue offering Extended Validation (EV) certificates.

DKI has promise to be a significant advancement for information security. The establishment of federated trust between organizations is a difficult challenge, and DKI has great potential to improve the situation.