nanog mailing list archives
Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates
From: Eliot Lear <lear () cisco com>
Date: Mon, 12 Sep 2011 21:53:59 +0200
On 9/12/11 4:32 PM, Jason Duerstock wrote:
Except that this just shifts the burden of trust on to DNSSEC, which also necessitates a central authority of 'trust'. Unless there's an explicitly more secure way of storing DNSSEC private keys, this just moves the bullseye from CAs to DNSSEC signers.
I said "some", not all, of the responsibility. By adding an independent PKI there is an additional control put in place to confirm that in fact the signer is authorized to sign. Should one go as far as to remove CA caches from browsers altogether? Eliot
Current thread:
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates, (continued)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Christopher Morrow (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Valdis . Kletnieks (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Christopher Morrow (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Robert Bonomi (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Christopher Morrow (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Mike Jones (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Eliot Lear (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Jason Duerstock (Sep 12)
- Re: DANE and DNSSEC, was Microsoft deems all DigiNotar John Levine (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Eliot Lear (Sep 12)