Security team successfully cracks SSL using 200 PS3's and MD5
Randy Bush
randy at psg.com
Mon Jan 5 21:09:34 UTC 2009
On 09.01.06 05:59, Joe Abley wrote:
>> perhaps i am a bit slow. but could someone explain to me how trust in
>> dns data transfers to trust in an http partner and other uses to which
>> ssl is put?
>
> If I can get secure answers to "www.bank.example IN CERT?" and
> "www.bank.example IN A?" then perhaps when I connect to
> www.bank.example:443 I can decide to trust the certificate presented by
> the server based on the trust anchor I extracted from the DNS, rather
> than whatever trust anchors were bundled with my browser.
>
> That presumably would mean that the organisation responsible for
> bank.example could run their own CA and publish their own trust anchor,
> without having to buy that service from one of the traditional CA
> companies.
>
> No doubt there is more to it than that. I don't know anything much about
> X.509.
x.509 is not the issue. it is your assumption that dns trust is
formally transferrable to ssl/tls cert trust.
to use your example, the contractor who serves dns for www.bank.example
could insert a cert and then fake the web site having (a child of) that
cert. whereas, if the site had its cert a descendant of the ca for all
banks, this attack would fail.
and i am not interested in quibbling about banks and who issues root
cas. the point is that there are two different trust models here, and
trust is not transitive.
but then again, i have not even had coffee yet this morning.
randy
More information about the NANOG
mailing list