nanog mailing list archives
Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)
From: Ted Cooper <ml-nanog090304q () elcsplace com>
Date: Tue, 13 Sep 2011 01:30:37 +1000
On 13/09/11 01:12, Randy Bush wrote:
as eliot pointed out, to defeat dane as currently written, you would have to compromise dnssec at the same time as you compromised the CA at the same time as you ran the mitm. i.e. it _adds_ dnssec assurance to CA trust.Yes, I saw that. It also drives up complexity too and makes you wonder what the added value of those cert vendors is for the money you're forking over. Especially when you consider the criticality of dns naming for everything except web site host names using tls. And how long would it be before browsers allowed self-signed-but-ok'ed-using-dnssec-protected-cert-hashes?agree
I would have thought that was a perfectly acceptable end point. The multiple CA's go away (oops), replaced with everyone being able to publish and authenticate their own certificates. The DNS has to be compromised to publish certificates, but if they've managed to do that, it doesn't matter what certificate you had in the first place. There are already public keys in the DNS for DKIM which work quite well. It lowers the cost for getting an SSL cert for your domain, but certainly not the security. Getting a cert for a domain is laughable these days. It's either too easy, or stupendously hard and ridiculous. EV certs are a joke as demonstrated by the thousands of people still getting phished since end users don't look at the address bar anyway. So long as it's encrypted and in some way secured against the domain, it's good enough isn't it?
Current thread:
- Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates), (continued)
- Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates) Christopher J. Pilkington (Sep 12)
- Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates) Martin Millnert (Sep 12)
- Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates) Gregory Edigarov (Sep 12)
- Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates) Martin Millnert (Sep 12)
- RE: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates) Leigh Porter (Sep 12)
- Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates) Randy Bush (Sep 12)
- Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates) Michael Thomas (Sep 12)
- Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates) Randy Bush (Sep 12)
- Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates) Michael Thomas (Sep 12)
- Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates) Randy Bush (Sep 12)
- Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates) Ted Cooper (Sep 12)
- Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates) Martin Millnert (Sep 12)
- Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates) Michael Thomas (Sep 12)
- Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates) Gregory Edigarov (Sep 12)
- Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates) Tony Finch (Sep 12)
- Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates) Marcus Reid (Sep 12)
- Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates) Gregory Edigarov (Sep 12)
- Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates) Jasper Wallace (Sep 12)
- Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates) Jimmy Hess (Sep 12)