Full Disclosure mailing list archives
Re: Slightly OT: What SSL cert do you consider strongest?
From: Jeffrey Walton <noloader () gmail com>
Date: Thu, 24 Oct 2013 04:54:24 -0400
On Wed, Oct 23, 2013 at 11:59 AM, Fabian Wenk <fabian () wenks ch> wrote:
There are steps you could do to protect your customers in the future, as the use of such services from the client side is not fully supported yet. Sign your DNS zone with DNSSEC and let add the corresponding entries to your upstream TLD. But the clients (e.g. customers computers) need also to use and check DNSSEC when resolving (this also depends on the upstream name server, e.g. from your ISP). And then also add DANE [1] entries into your DNS zone for the hostnames which provide SSL or TLS services.
Utilizing DNS just moves the key distribution problem around. Instead of trusting a CA you're now trusting DNS. In either case, you're still likely trusting someone (CA or DNS) external to your organization. Dr. Bernstein has a good time with DNSSEC in his talks. See, for example, Cryptography Worst Practices, http://secappdev.org/lectures/144. The entire talk is good, but his DNSSEC bashing occurs around 14:40 (min:sec). Jeff _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Slightly OT: What SSL cert do you consider strongest? David Miller (Oct 23)
- Re: Slightly OT: What SSL cert do you consider strongest? Jeffrey Walton (Oct 23)
- Re: Slightly OT: What SSL cert do you consider strongest? gremlin (Oct 23)
- Re: Slightly OT: What SSL cert do you consider strongest? John Adams (Oct 24)
- Re: Slightly OT: What SSL cert do you consider strongest? Fabian Wenk (Oct 23)
- Re: Slightly OT: What SSL cert do you consider strongest? Alex (Oct 23)
- Re: Slightly OT: What SSL cert do you consider strongest? Fabian Wenk (Oct 23)
- Re: Slightly OT: What SSL cert do you consider strongest? Jeffrey Walton (Oct 24)
- Re: Slightly OT: What SSL cert do you consider strongest? Fabian Wenk (Oct 27)
- Re: Slightly OT: What SSL cert do you consider strongest? Alex (Oct 23)