nanog mailing list archives
DNSSEC vs. X509 (Re: Security team successfully cracks SSL...)
From: Paul Vixie <vixie () isc org>
Date: Tue, 06 Jan 2009 05:32:36 +0000
Joe Abley <jabley () hopcount ca> writes:
On 2009-01-05, at 15:18, Jason Uhlenkott wrote:If we had DNSSEC, we could do away with SSL CAs entirely. The owner of each domain or host could publish a self-signed cert in a TXT RR,... or even in a CERT RR, as I heard various clever people talking about in some virtual hallway the other day. <http://www.isi.edu/in-notes/rfc2538.txt>.
i wasn't clever but i was in that hallway. it's more complicated than RFC 2538, but there does seem to be a way forward involving SSL/TLS (to get channel encryption) but where a self-signed key could be verified using a CERT RR (to get endpoint identity authentication). the attacks recently have been against MD5 (used by some X.509 CA's) and against an X.509 CA's identity verification methods (used at certificate granting time). no recent attack has shaken my confidence in SSL/TLS negotiation or encryption, but frankly i'm a little worried about nondeployability of X.509 now that i see what the CA's are doing operationally when they start to feel margin pressure and need to keep volume up + costs down. i don't have a specific proposal. (yet.) but i'm investigating, and i recommend others do likewise. -- Paul Vixie
Current thread:
- Re: Security team successfully cracks SSL using 200 PS3's and MD5, (continued)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Randy Bush (Jan 05)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Joe Abley (Jan 05)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Randy Bush (Jan 05)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Valdis . Kletnieks (Jan 05)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Joe Greco (Jan 05)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Jason Uhlenkott (Jan 05)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Matthew Kaufman (Jan 05)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Michael Sinatra (Jan 05)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Colin Alston (Jan 05)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Mark Andrews (Jan 05)
- DNSSEC vs. X509 (Re: Security team successfully cracks SSL...) Paul Vixie (Jan 05)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Mark Andrews (Jan 05)
- RE: Security team successfully cracks SSL using 200 PS3's and MD5 Stasiniewicz, Adam (Jan 02)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Robert Mathews (OSIA) (Jan 02)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Dragos Ruiu (Jan 02)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Gadi Evron (Jan 02)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Dragos Ruiu (Jan 02)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Christopher Morrow (Jan 02)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 William Warren (Jan 03)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Dorn Hetzel (Jan 03)
- Re: Security team successfully cracks SSL using 200 PS3's and MD5 Marshall Eubanks (Jan 03)