nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

From: fredrik danerklint <fredan-nanog () fredan se>
Date: Mon, 12 Sep 2011 22:42:35 +0200
How about a TXT record with the CN string of the CA cert subject in
it? If it exists and there's a conflict, don't trust it.  Seems
simple enough to implement without too much collateral damage.


Needs to be a DNSSEC-validated TXT record, or you've opened yourself up
to attacks via DNS poisoning (either insert a malicious TXT that
matches your malicious certificate, or insert a malicious TXT that
intentionally *doesn't* match the vicitm's certificate)....


And how do you validate the dnssec to make sure that noone has tampered
with it.


Since you are from Sweden, and in an IT job, you probably have personal
relations to someone who has personal relations to one of the swedes
or other nationalities that were present at the key ceremonies for the
root. Once you've established that the signatures on the root KSK are good
(which -- because of the above -- should be doable OOB quite easily for
you) you can start validating the entire chain of trust.

Quite trivial, in fact.


and how about a end user, who doesn't understand a computer at all, to be able 
verify the signatures, correctly?

-- 
//fredan
Previous By Date Next
Previous By Thread Next

Current thread: