nanog mailing list archives

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

From: Eliot Lear <lear () cisco com>
Date: Mon, 12 Sep 2011 21:53:59 +0200



On 9/12/11 4:32 PM, Jason Duerstock wrote:

Except that this just shifts the burden of trust on to DNSSEC, which
also necessitates a central authority of 'trust'.  Unless there's an
explicitly more secure way of storing DNSSEC private keys, this just
moves the bullseye from CAs to DNSSEC signers.


I said "some", not all, of the responsibility.  By adding an independent
PKI there is an additional control put in place to confirm that in fact
the signer is authorized to sign.  Should one go as far as to remove CA
caches from browsers altogether?

Eliot

Current thread:

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates, (continued)
- - - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Christopher Morrow (Sep 11)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Valdis . Kletnieks (Sep 12)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Christopher Morrow (Sep 12)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Robert Bonomi (Sep 12)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Christopher Morrow (Sep 12)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Mike Jones (Sep 12)
  - RE: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Hank Nussbacher (Sep 11)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Eliot Lear (Sep 12)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Jason Duerstock (Sep 12)
    - Re: DANE and DNSSEC, was Microsoft deems all DigiNotar John Levine (Sep 12)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Eliot Lear (Sep 12)