nanog mailing list archives
Re: Microsoft deems all DigiNotar certificates untrustworthy, releases
From: fredrik danerklint <fredan-nanog () fredan se>
Date: Tue, 13 Sep 2011 00:04:39 +0200
Tony, Thanks for this explanation! I think this is what I've been looking for regarding securing DNSSEC.
and how about a end user, who doesn't understand a computer at all, to be able verify the signatures, correctly?The current trust model for DNSSEC relies on the vendor of the validator to bootstrap trust in the root key. This is partly a matter of pragmatism since the validator is a black-box agent acting on the user's behalf, like any other software. It is also required by the root key management policies, since a root key rollover takes a small number of weeks, much shorter than the not-in-service shelf life of validating software and hardware. This means that a validator cannot simply use the root key as a trust anchor and expect to work: it needs some extra infrastructure supported by the vendor to authenticate the root key if there happens to have been a rollover between finalizing the software and deploying it. Tony.
-- //fredan
Current thread:
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates, (continued)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Damian Menscher (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Joe Greco (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Marcus Reid (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Valdis . Kletnieks (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases fredrik danerklint (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Måns Nilsson (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Valdis . Kletnieks (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases fredrik danerklint (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Måns Nilsson (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Tony Finch (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases fredrik danerklint (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Tei (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Chris Adams (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Brett Frankenberger (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Chris Adams (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Peter Kristolaitis (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases David Israel (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Valdis . Kletnieks (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Chris Adams (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Lou Katz (Sep 14)
- Opta revokes Diginotar TTP license (Was: Microsoft deems all DigiNotar certificates untrustworthy, releases) Jeroen Massar (Sep 14)