nanog mailing list archives
Re: Microsoft deems all DigiNotar certificates untrustworthy, releases
From: Måns Nilsson <mansaxel () besserwisser org>
Date: Mon, 12 Sep 2011 22:31:59 +0200
Subject: Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Date: Mon, Sep 12, 2011 at 11:46:04AM +0200 Quoting fredrik danerklint (fredan-nanog () fredan se):
How about a TXT record with the CN string of the CA cert subject in it? If it exists and there's a conflict, don't trust it. Seems simple enough to implement without too much collateral damage.Needs to be a DNSSEC-validated TXT record, or you've opened yourself up to attacks via DNS poisoning (either insert a malicious TXT that matches your malicious certificate, or insert a malicious TXT that intentionally *doesn't* match the vicitm's certificate)....And how do you validate the dnssec to make sure that noone has tampered with it.
Since you are from Sweden, and in an IT job, you probably have personal relations to someone who has personal relations to one of the swedes or other nationalities that were present at the key ceremonies for the root. Once you've established that the signatures on the root KSK are good (which -- because of the above -- should be doable OOB quite easily for you) you can start validating the entire chain of trust. Quite trivial, in fact. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Am I in GRADUATE SCHOOL yet?
Attachment:
signature.asc
Description: Digital signature
Current thread:
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates, (continued)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Cameron Byrne (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Bjørn Mork (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Joel jaeggli (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates sthaug (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Martin Millnert (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Damian Menscher (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Joe Greco (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Marcus Reid (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Valdis . Kletnieks (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases fredrik danerklint (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Måns Nilsson (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Valdis . Kletnieks (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases fredrik danerklint (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Måns Nilsson (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Tony Finch (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases fredrik danerklint (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Tei (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Chris Adams (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Brett Frankenberger (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Chris Adams (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Peter Kristolaitis (Sep 13)