nanog mailing list archives
Re: Microsoft deems all DigiNotar certificates untrustworthy, releases
From: Tony Finch <dot () dotat at>
Date: Mon, 12 Sep 2011 22:51:04 +0100
fredrik danerklint <fredan-nanog () fredan se> wrote:
and how about a end user, who doesn't understand a computer at all, to be able verify the signatures, correctly?
The current trust model for DNSSEC relies on the vendor of the validator to bootstrap trust in the root key. This is partly a matter of pragmatism since the validator is a black-box agent acting on the user's behalf, like any other software. It is also required by the root key management policies, since a root key rollover takes a small number of weeks, much shorter than the not-in-service shelf life of validating software and hardware. This means that a validator cannot simply use the root key as a trust anchor and expect to work: it needs some extra infrastructure supported by the vendor to authenticate the root key if there happens to have been a rollover between finalizing the software and deploying it. Tony. -- f.anthony.n.finch <dot () dotat at> http://dotat.at/ Biscay, FitzRoy: Southwesterly 4 or 5, veering northerly or northwesterly 5 or 6, occasionally 7 later in southeast Fitzroy. Rough or very rough. Rain or showers. Good, occasionally poor.
Current thread:
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates, (continued)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Martin Millnert (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Damian Menscher (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Joe Greco (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Marcus Reid (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Valdis . Kletnieks (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases fredrik danerklint (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Måns Nilsson (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Valdis . Kletnieks (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases fredrik danerklint (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Måns Nilsson (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Tony Finch (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases fredrik danerklint (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Tei (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Chris Adams (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Brett Frankenberger (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Chris Adams (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Peter Kristolaitis (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases David Israel (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Valdis . Kletnieks (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Chris Adams (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Lou Katz (Sep 14)