nanog mailing list archives
Re: Chinese root CA issues rogue/fake certificates
From: Mark Andrews <marka () isc org>
Date: Thu, 01 Sep 2016 13:06:03 +1000
In message <A75AD418-262A-4F12-A7FA-3C8D3861D1DA () orthanc ca>, Lyndon Nerenberg writes:
On Aug 31, 2016, at 6:36 PM, Matt Palmer <mpalmer () hezmatt org> wrote: Thanks, Netscape. Great ecosystem you built.Nobody at that time had a clue how this environment was going to scale, let alone what the wide-ranging security issues would be. And where were you back then, not saving us from our erroneous path ...
Well lots of people have been pointing out the risks for years. We are no where at "to big to fail" here. We also have TLSA which can be used to prevent spoofed CERTs being successful. If you have a CERT you should be publishing a TLSA records and have it DNSSEC signed. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka () isc org
Current thread:
- Chinese root CA issues rogue/fake certificates Eric Kuhnke (Aug 30)
- Re: Chinese root CA issues rogue/fake certificates Royce Williams (Aug 30)
- Re: Chinese root CA issues rogue/fake certificates Eric Kuhnke (Aug 30)
- Re: Chinese root CA issues rogue/fake certificates Mel Beckman (Aug 30)
- Re: Chinese root CA issues rogue/fake certificates Royce Williams (Aug 31)
- Re: Chinese root CA issues rogue/fake certificates Matt Palmer (Aug 31)
- Re: Chinese root CA issues rogue/fake certificates Eric Kuhnke (Aug 31)
- Re: Chinese root CA issues rogue/fake certificates Lyndon Nerenberg (Aug 31)
- Re: Chinese root CA issues rogue/fake certificates Mark Andrews (Aug 31)
- Re: Chinese root CA issues rogue/fake certificates George William Herbert (Aug 31)
- Re: Chinese root CA issues rogue/fake certificates Eric Kuhnke (Aug 30)
- Re: Chinese root CA issues rogue/fake certificates Royce Williams (Aug 30)