Microsoft deems all DigiNotar certificates untrustworthy, releases
fredrik danerklint
fredan-nanog at fredan.se
Mon Sep 12 09:46:04 UTC 2011
> > How about a TXT record with the CN string of the CA cert subject in it?
> > If it exists and there's a conflict, don't trust it. Seems simple
> > enough to implement without too much collateral damage.
>
> Needs to be a DNSSEC-validated TXT record, or you've opened yourself up
> to attacks via DNS poisoning (either insert a malicious TXT that matches
> your malicious certificate, or insert a malicious TXT that intentionally
> *doesn't* match the vicitm's certificate)....
And how do you validate the dnssec to make sure that noone has tampered with
it.
--
//fredan
More information about the NANOG
mailing list