Re: Slightly OT: What SSL cert do you consider strongest?

[Jeffrey Walton <noloader () gmail com>]

On Wed, Oct 23, 2013 at 11:59 AM, Fabian Wenk <fabian () wenks ch> wrote:
> There are steps you could do to protect your customers in the future, as the
> use of such services from the client side is not fully supported yet. Sign
> your DNS zone with DNSSEC and let add the corresponding entries to your
> upstream TLD. But the clients (e.g. customers computers) need also to use
> and check DNSSEC when resolving (this also depends on the upstream name
> server, e.g. from your ISP). And then also add DANE [1] entries into your
> DNS zone for the hostnames which provide SSL or TLS services.
Utilizing DNS just moves the key distribution problem around. Instead
of trusting a CA you're now trusting DNS. In either case, you're still
likely trusting someone (CA or DNS) external to your organization.

Dr. Bernstein has a good time with DNSSEC in his talks. See, for
example, Cryptography Worst Practices,
http://secappdev.org/lectures/144. The entire talk is good, but his
DNSSEC bashing occurs around 14:40 (min:sec).

Jeff

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/