[110436] in North American Network Operators' Group
Re: Security team successfully cracks SSL using 200 PS3's and MD5
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Mon Jan 5 16:23:40 2009
To: Randy Bush <randy@psg.com>
In-Reply-To: Your message of "Tue, 06 Jan 2009 06:09:34 +0900."
<4962770E.7060000@psg.com>
From: Valdis.Kletnieks@vt.edu
Date: Mon, 05 Jan 2009 16:23:22 -0500
Cc: "nanog@nanog.org" <nanog@nanog.org>, Joe Greco <jgreco@ns.sol.net>
Errors-To: nanog-bounces@nanog.org
--==_Exmh_1231190602_3204P
Content-Type: text/plain; charset=us-ascii
On Tue, 06 Jan 2009 06:09:34 +0900, Randy Bush said:
> to use your example, the contractor who serves dns for www.bank.example
> could insert a cert and then fake the web site having (a child of) that
> cert. whereas, if the site had its cert a descendant of the ca for all
> banks, this attack would fail.
All you've done *there* is transfer the trust from the contractor to
the company that's the "ca for the bank". Yes, the ca-for-banks.com
has a vested interest in making sure none of its employees go rogue and
do something naughty - but so does the DNS contractor.
One could equally well argue that if a site was using the DNS for certs
would be immune to an attack on a CA.
--==_Exmh_1231190602_3204P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFJYnpKcC3lWbTT17ARAoOiAKDzKa+Wi+9NGagLLSiOGyOjL8snlwCePZIZ
/FyCOFr3lTsWuOQZcKRSGnQ=
=+B6F
-----END PGP SIGNATURE-----
--==_Exmh_1231190602_3204P--
