[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

Subject: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
From: randy at psg.com (Randy Bush)
Date: Mon, 12 Sep 2011 17:12:24 +0200
In-reply-to: <[email protected]>
References: <CAAAas8Fua4EbjwKs_wkrcyr1Y6TqXQYNOAC5VGANKmh3hNSfUA@mail.gmail.com> <CAHyNd14PWaAgB6t8e0Z3PWc-GhhjXyNOydtB=H0f-2bYaLJ83A@mail.gmail.com> <[email protected]> <[email protected]> <m2fwk1kecp.wl%[email protected]> <[email protected]> <m2d3f5kduf.wl%[email protected]> <[email protected]>

>> as eliot pointed out, to defeat dane as currently written, you would
>> have to compromise dnssec at the same time as you compromised the CA at
>> the same time as you ran the mitm.  i.e. it _adds_ dnssec assurance to
>> CA trust.
> Yes, I saw that. It also drives up complexity too and makes you wonder
> what the added value of those cert vendors is for the money you're
> forking over.  Especially when you consider the criticality of dns
> naming for everything except web site host names using tls. And how
> long would it be before browsers allowed
> self-signed-but-ok'ed-using-dnssec-protected-cert-hashes?

agree

Follow-Ups:
- Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
  - From: ml-nanog090304q at elcsplace.com (Ted Cooper)

References:
- Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
  - From: mike at mikejones.in (Mike Jones)
- Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
  - From: millnert at gmail.com (Martin Millnert)
- Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
  - From: greg at bestnet.kharkov.ua (Gregory Edigarov)
- Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
  - From: leigh.porter at ukbroadband.com (Leigh Porter)
- Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
  - From: randy at psg.com (Randy Bush)
- Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
  - From: mike at mtcc.com (Michael Thomas)
- Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
  - From: randy at psg.com (Randy Bush)
- Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
  - From: mike at mtcc.com (Michael Thomas)

Prev by Date: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
Next by Date: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
Previous by thread: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
Next by thread: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
Index(es):
- Date
- Thread