Microsoft deems all DigiNotar certificates untrustworthy, releases
fredan-nanog at fredan.se
Mon Sep 12 20:42:35 UTC 2011
> > > > How about a TXT record with the CN string of the CA cert subject in
> > > > it? If it exists and there's a conflict, don't trust it. Seems
> > > > simple enough to implement without too much collateral damage.
> > >
> > > Needs to be a DNSSEC-validated TXT record, or you've opened yourself up
> > > to attacks via DNS poisoning (either insert a malicious TXT that
> > > matches your malicious certificate, or insert a malicious TXT that
> > > intentionally *doesn't* match the vicitm's certificate)....
> > And how do you validate the dnssec to make sure that noone has tampered
> > with it.
> Since you are from Sweden, and in an IT job, you probably have personal
> relations to someone who has personal relations to one of the swedes
> or other nationalities that were present at the key ceremonies for the
> root. Once you've established that the signatures on the root KSK are good
> (which -- because of the above -- should be doable OOB quite easily for
> you) you can start validating the entire chain of trust.
> Quite trivial, in fact.
and how about a end user, who doesn't understand a computer at all, to be able
verify the signatures, correctly?
More information about the NANOG