Microsoft deems all DigiNotar certificates untrustworthy, releases

• Previous message (by thread): Microsoft deems all DigiNotar certificates untrustworthy, releases
• Next message (by thread): Microsoft deems all DigiNotar certificates untrustworthy, releases
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> > How about a TXT record with the CN string of the CA cert subject in it?
> > If it exists and there's a conflict, don't trust it.  Seems simple
> > enough to implement without too much collateral damage.
> 
> Needs to be a DNSSEC-validated TXT record, or you've opened yourself up
> to attacks via DNS poisoning (either insert a malicious TXT that matches
> your malicious certificate, or insert a malicious TXT that intentionally
> *doesn't* match the vicitm's certificate)....

And how do you validate the dnssec to make sure that noone has tampered with 
it.

-- 
//fredan

• Previous message (by thread): Microsoft deems all DigiNotar certificates untrustworthy, releases
• Next message (by thread): Microsoft deems all DigiNotar certificates untrustworthy, releases
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]