Microsoft deems all DigiNotar certificates untrustworthy, releases updates

• Previous message (by thread): DANE and DNSSEC, was Microsoft deems all DigiNotar
• Next message (by thread): NANOGers home data centers - What's in your closet?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 9/12/11 4:32 PM, Jason Duerstock wrote:
> Except that this just shifts the burden of trust on to DNSSEC, which
> also necessitates a central authority of 'trust'.  Unless there's an
> explicitly more secure way of storing DNSSEC private keys, this just
> moves the bullseye from CAs to DNSSEC signers.

I said "some", not all, of the responsibility.  By adding an independent
PKI there is an additional control put in place to confirm that in fact
the signer is authorized to sign.  Should one go as far as to remove CA
caches from browsers altogether?

Eliot

• Previous message (by thread): DANE and DNSSEC, was Microsoft deems all DigiNotar
• Next message (by thread): NANOGers home data centers - What's in your closet?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]