Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
dot at dotat.at
Mon Sep 12 22:00:47 UTC 2011
> > > > with dane, i trust whoever runs dns for citibank to identify the cert
> > > > for citibank. this seems much more reasonable than other approaches,
> > > > though i admit to not having dived deeply into them all.
> > > If the root DNS keys were compromised in an all DNS rooted world...
> > > unhappiness would ensue in great volume.
Compromise of DNSSEC == compromise of one or more DNS registries.
This is a fate sharing situation. A few single points of failure
rather than hundreds.
Note that a big weak point in the DNS is the interface between the
registrars and the registry. If you have a domain you have to trust the
registry to impose suitable restrictions on its registrars to prevent a
dodgy registrar from stealing your domain. Another, of course, is the
interface between a registrar and its customers.
> It also drives up complexity too and makes you wonder what the added
> value of those cert vendors is for the money you're forking over.
During rollout the cert vendors will be providing backwards compatibility.
> Especially when you consider the criticality of dns naming for everything
> except web site host names using tls.
If a website using TLS loses its DNS then (a) you can't reach it, and (b)
the attacker can trivially obtain a new domain validated certificate.
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Fisher, German Bight, Humber, Thames, Dover: Southwest 7 to severe gale 9.
Rough or very rough, becoming high in Fisher. Showers. Moderate or good.
More information about the NANOG