Microsoft deems all DigiNotar certificates untrustworthy, releases

fredrik danerklint fredan-nanog at fredan.se
Mon Sep 12 04:46:04 CDT 2011


> > How about a TXT record with the CN string of the CA cert subject in it?
> > If it exists and there's a conflict, don't trust it.  Seems simple
> > enough to implement without too much collateral damage.
> 
> Needs to be a DNSSEC-validated TXT record, or you've opened yourself up
> to attacks via DNS poisoning (either insert a malicious TXT that matches
> your malicious certificate, or insert a malicious TXT that intentionally
> *doesn't* match the vicitm's certificate)....

And how do you validate the dnssec to make sure that noone has tampered with 
it.

-- 
//fredan



More information about the NANOG mailing list