[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

Subject: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
From: randy at psg.com (Randy Bush)
Date: Mon, 12 Sep 2011 16:57:44 +0200
In-reply-to: <[email protected]>
References: <CAAAas8Fua4EbjwKs_wkrcyr1Y6TqXQYNOAC5VGANKmh3hNSfUA@mail.gmail.com> <CAHyNd14PWaAgB6t8e0Z3PWc-GhhjXyNOydtB=H0f-2bYaLJ83A@mail.gmail.com> <[email protected]> <[email protected]> <m2fwk1kecp.wl%[email protected]> <[email protected]>

>> with dane, i trust whoever runs dns for citibank to identify the cert
>> for citibank.  this seems much more reasonable than other approaches,
>> though i admit to not having dived deeply into them all.
> If the root DNS keys were compromised in an all DNS rooted world...
> unhappiness would ensue in great volume.

as eliot pointed out, to defeat dane as currently written, you would
have to compromise dnssec at the same time as you compromised the CA at
the same time as you ran the mitm.  i.e. it _adds_ dnssec assurance to
CA trust.

randy

Follow-Ups:
- Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
  - From: mike at mtcc.com (Michael Thomas)

References:
- Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
  - From: mike at mikejones.in (Mike Jones)
- Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
  - From: millnert at gmail.com (Martin Millnert)
- Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
  - From: greg at bestnet.kharkov.ua (Gregory Edigarov)
- Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
  - From: leigh.porter at ukbroadband.com (Leigh Porter)
- Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
  - From: randy at psg.com (Randy Bush)
- Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
  - From: mike at mtcc.com (Michael Thomas)

Prev by Date: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
Next by Date: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
Previous by thread: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
Next by thread: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
Index(es):
- Date
- Thread