[110442] in North American Network Operators' Group
Re: Security team successfully cracks SSL using 200 PS3's and MD5
daemon@ATHENA.MIT.EDU (Mark Andrews)
Mon Jan 5 17:44:03 2009
To: Jason Uhlenkott <jasonuhl@jasonuhl.org>
From: Mark Andrews <Mark_Andrews@isc.org>
In-reply-to: Your message of "Mon, 05 Jan 2009 12:18:59 -0800."
<20090105201859.GC15107@ferrum.uhlenkott.net>
Date: Tue, 06 Jan 2009 09:43:51 +1100
Cc: "nanog@nanog.org" <nanog@nanog.org>, Joe Greco <jgreco@ns.sol.net>
Errors-To: nanog-bounces@nanog.org
In message <20090105201859.GC15107@ferrum.uhlenkott.net>, Jason Uhlenkott write
s:
> On Fri, Jan 02, 2009 at 15:33:05 -0600, Joe Greco wrote:
> > This would seem to point out some critical shortcomings in the current SSL
> > system; these shortcomings are not necessarily technological, but rather
> > social/psychological. We need the ability for Tom, Dick, or Harry to be
> > able to crank out a SSL cert with a minimum of fuss or cost; having to
> > learn the complexities of SSL is itself a "fuss" which has significantly
> > and negatively impacted Internet security.
> >
> > Somehow, we managed to figure out how to do this with PGP and keysigning,
> > but it all fell apart (I can hear the "it doesn't scale" already) with SSL.
>
> If we had DNSSEC, we could do away with SSL CAs entirely. The owner
> of each domain or host could publish a self-signed cert in a TXT RR,
> and the DNS chain of trust would be the only form of validation needed.
Or one could use the CERT to publish a cert :-)
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org
