nanog mailing list archives
Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
From: Tony Finch <dot () dotat at>
Date: Mon, 12 Sep 2011 23:00:47 +0100
with dane, i trust whoever runs dns for citibank to identify the cert for citibank. this seems much more reasonable than other approaches, though i admit to not having dived deeply into them all.If the root DNS keys were compromised in an all DNS rooted world... unhappiness would ensue in great volume.
Compromise of DNSSEC == compromise of one or more DNS registries. This is a fate sharing situation. A few single points of failure rather than hundreds. Note that a big weak point in the DNS is the interface between the registrars and the registry. If you have a domain you have to trust the registry to impose suitable restrictions on its registrars to prevent a dodgy registrar from stealing your domain. Another, of course, is the interface between a registrar and its customers.
It also drives up complexity too and makes you wonder what the added value of those cert vendors is for the money you're forking over.
During rollout the cert vendors will be providing backwards compatibility.
Especially when you consider the criticality of dns naming for everything except web site host names using tls.
If a website using TLS loses its DNS then (a) you can't reach it, and (b) the attacker can trivially obtain a new domain validated certificate. Tony. -- f.anthony.n.finch <dot () dotat at> http://dotat.at/ Fisher, German Bight, Humber, Thames, Dover: Southwest 7 to severe gale 9. Rough or very rough, becoming high in Fisher. Showers. Moderate or good.
Current thread:
- Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates), (continued)
- Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates) Martin Millnert (Sep 12)
- RE: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates) Leigh Porter (Sep 12)
- Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates) Randy Bush (Sep 12)
- Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates) Michael Thomas (Sep 12)
- Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates) Randy Bush (Sep 12)
- Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates) Michael Thomas (Sep 12)
- Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates) Randy Bush (Sep 12)
- Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates) Ted Cooper (Sep 12)
- Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates) Martin Millnert (Sep 12)
- Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates) Michael Thomas (Sep 12)
- Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates) Tony Finch (Sep 12)
- Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates) Marcus Reid (Sep 12)
- Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates) Gregory Edigarov (Sep 12)
- Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates) Jasper Wallace (Sep 12)
- Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates) Jimmy Hess (Sep 12)