Microsoft deems all DigiNotar certificates untrustworthy, releases updates

Eliot Lear lear at cisco.com
Mon Sep 12 14:53:59 CDT 2011


On 9/12/11 4:32 PM, Jason Duerstock wrote:
> Except that this just shifts the burden of trust on to DNSSEC, which
> also necessitates a central authority of 'trust'.  Unless there's an
> explicitly more secure way of storing DNSSEC private keys, this just
> moves the bullseye from CAs to DNSSEC signers.

I said "some", not all, of the responsibility.  By adding an independent
PKI there is an additional control put in place to confirm that in fact
the signer is authorized to sign.  Should one go as far as to remove CA
caches from browsers altogether?

Eliot



More information about the NANOG mailing list