Microsoft deems all DigiNotar certificates untrustworthy, releases updates

Eliot Lear lear at
Mon Sep 12 19:53:59 UTC 2011

On 9/12/11 4:32 PM, Jason Duerstock wrote:
> Except that this just shifts the burden of trust on to DNSSEC, which
> also necessitates a central authority of 'trust'.  Unless there's an
> explicitly more secure way of storing DNSSEC private keys, this just
> moves the bullseye from CAs to DNSSEC signers.

I said "some", not all, of the responsibility.  By adding an independent
PKI there is an additional control put in place to confirm that in fact
the signer is authorized to sign.  Should one go as far as to remove CA
caches from browsers altogether?


More information about the NANOG mailing list