Microsoft deems all DigiNotar certificates untrustworthy, releases

fredrik danerklint fredan-nanog at
Mon Sep 12 20:42:35 UTC 2011

> > > > How about a TXT record with the CN string of the CA cert subject in
> > > > it? If it exists and there's a conflict, don't trust it.  Seems
> > > > simple enough to implement without too much collateral damage.
> > > 
> > > Needs to be a DNSSEC-validated TXT record, or you've opened yourself up
> > > to attacks via DNS poisoning (either insert a malicious TXT that
> > > matches your malicious certificate, or insert a malicious TXT that
> > > intentionally *doesn't* match the vicitm's certificate)....
> > 
> > And how do you validate the dnssec to make sure that noone has tampered
> > with it.
> Since you are from Sweden, and in an IT job, you probably have personal
> relations to someone who has personal relations to one of the swedes
> or other nationalities that were present at the key ceremonies for the
> root. Once you've established that the signatures on the root KSK are good
> (which -- because of the above -- should be doable OOB quite easily for
> you) you can start validating the entire chain of trust.
> Quite trivial, in fact.

and how about a end user, who doesn't understand a computer at all, to be able 
verify the signatures, correctly?


More information about the NANOG mailing list