[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAH8yC8k7x1jmE81FJULTobd6qW4Vr30LhMSP4nijDpvdv6FhWQ@mail.gmail.com>
Date: Thu, 24 Oct 2013 04:54:24 -0400
From: Jeffrey Walton <noloader@...il.com>
To: Fabian Wenk <fabian@...ks.ch>
Cc: Full Disclosure List <full-disclosure@...ts.grok.org.uk>
Subject: Re: Slightly OT: What SSL cert do you consider
strongest?
On Wed, Oct 23, 2013 at 11:59 AM, Fabian Wenk <fabian@...ks.ch> wrote:
>
> There are steps you could do to protect your customers in the future, as the
> use of such services from the client side is not fully supported yet. Sign
> your DNS zone with DNSSEC and let add the corresponding entries to your
> upstream TLD. But the clients (e.g. customers computers) need also to use
> and check DNSSEC when resolving (this also depends on the upstream name
> server, e.g. from your ISP). And then also add DANE [1] entries into your
> DNS zone for the hostnames which provide SSL or TLS services.
Utilizing DNS just moves the key distribution problem around. Instead
of trusting a CA you're now trusting DNS. In either case, you're still
likely trusting someone (CA or DNS) external to your organization.
Dr. Bernstein has a good time with DNSSEC in his talks. See, for
example, Cryptography Worst Practices,
http://secappdev.org/lectures/144. The entire talk is good, but his
DNSSEC bashing occurs around 14:40 (min:sec).
Jeff
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists