[110432] in North American Network Operators' Group
Re: Security team successfully cracks SSL using 200 PS3's and MD5
daemon@ATHENA.MIT.EDU (Joe Abley)
Mon Jan 5 16:00:16 2009
From: Joe Abley <jabley@hopcount.ca>
To: Randy Bush <randy@psg.com>
In-Reply-To: <496271DA.7040708@psg.com>
Date: Mon, 5 Jan 2009 15:59:54 -0500
Cc: "nanog@nanog.org" <nanog@nanog.org>, Joe Greco <jgreco@ns.sol.net>
Errors-To: nanog-bounces@nanog.org
On 2009-01-05, at 15:47, Randy Bush wrote:
> perhaps i am a bit slow. but could someone explain to me how trust
> in dns data transfers to trust in an http partner and other uses to
> which ssl is put?
If I can get secure answers to "www.bank.example IN CERT?" and "www.bank.example
IN A?" then perhaps when I connect to www.bank.example:443 I can
decide to trust the certificate presented by the server based on the
trust anchor I extracted from the DNS, rather than whatever trust
anchors were bundled with my browser.
That presumably would mean that the organisation responsible for
bank.example could run their own CA and publish their own trust
anchor, without having to buy that service from one of the traditional
CA companies.
No doubt there is more to it than that. I don't know anything much
about X.509.
Joe
