[191280] in North American Network Operators' Group
Re: Chinese root CA issues rogue/fake certificates
daemon@ATHENA.MIT.EDU (Mark Andrews)
Wed Aug 31 23:06:17 2016
X-Original-To: nanog@nanog.org
To: Lyndon Nerenberg <lyndon@orthanc.ca>
From: Mark Andrews <marka@isc.org>
In-reply-to: Your message of "Wed, 31 Aug 2016 18:49:17 -0700."
<A75AD418-262A-4F12-A7FA-3C8D3861D1DA@orthanc.ca>
Date: Thu, 01 Sep 2016 13:06:03 +1000
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
In message <A75AD418-262A-4F12-A7FA-3C8D3861D1DA@orthanc.ca>, Lyndon Nerenberg
writes:
> > On Aug 31, 2016, at 6:36 PM, Matt Palmer <mpalmer@hezmatt.org> wrote:
> >
> > Thanks, Netscape. Great ecosystem you built.
>
> Nobody at that time had a clue how this environment was going to scale,
> let alone what the wide-ranging security issues would be.
>
> And where were you back then, not saving us from our erroneous path ...
Well lots of people have been pointing out the risks for years.
We are no where at "to big to fail" here.
We also have TLSA which can be used to prevent spoofed CERTs being
successful. If you have a CERT you should be publishing a TLSA
records and have it DNSSEC signed.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
