nanog mailing list archives

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

From: fredrik danerklint <fredan-nanog () fredan se>
Date: Tue, 13 Sep 2011 00:04:39 +0200

Tony,

Thanks for this explanation! 

I think this is what I've been looking for regarding securing DNSSEC.

and how about a end user, who doesn't understand a computer at all, to
be able verify the signatures, correctly?


The current trust model for DNSSEC relies on the vendor of the validator
to bootstrap trust in the root key. This is partly a matter of pragmatism
since the validator is a black-box agent acting on the user's behalf, like
any other software.

It is also required by the root key management policies, since a root key
rollover takes a small number of weeks, much shorter than the
not-in-service shelf life of validating software and hardware. This means
that a validator cannot simply use the root key as a trust anchor and
expect to work: it needs some extra infrastructure supported by the vendor
to authenticate the root key if there happens to have been a rollover
between finalizing the software and deploying it.

Tony.


-- 
//fredan

Current thread:

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates, (continued)
- - - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Damian Menscher (Sep 12)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Joe Greco (Sep 11)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Marcus Reid (Sep 11)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Valdis . Kletnieks (Sep 12)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases fredrik danerklint (Sep 12)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Måns Nilsson (Sep 12)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Valdis . Kletnieks (Sep 12)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases fredrik danerklint (Sep 12)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Måns Nilsson (Sep 12)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Tony Finch (Sep 12)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases fredrik danerklint (Sep 12)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Tei (Sep 13)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Chris Adams (Sep 13)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Brett Frankenberger (Sep 13)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Chris Adams (Sep 13)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Peter Kristolaitis (Sep 13)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases David Israel (Sep 13)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Valdis . Kletnieks (Sep 13)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Chris Adams (Sep 13)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Lou Katz (Sep 14)
    - Opta revokes Diginotar TTP license (Was: Microsoft deems all DigiNotar certificates untrustworthy, releases) Jeroen Massar (Sep 14)

(Thread continues...)