[144437] in North American Network Operators' Group
Re: Microsoft deems all DigiNotar certificates untrustworthy, releases
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Mon Sep 12 04:40:36 2011
To: Marcus Reid <marcus@blazingdot.com>
In-Reply-To: Your message of "Mon, 12 Sep 2011 04:39:52 -0000."
<20110912043952.GA92788@blazingdot.com>
From: Valdis.Kletnieks@vt.edu
Date: Mon, 12 Sep 2011 04:39:03 -0400
Cc: NANOG mailing list <nanog@nanog.org>, Joe Greco <jgreco@ns.sol.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--==_Exmh_1315816742_28234P
Content-Type: text/plain; charset=us-ascii
On Mon, 12 Sep 2011 04:39:52 -0000, Marcus Reid said:
> You don't have to have the big fat Mozilla root cert bundle on your
> machines. Some OSes "ship" with an empty /etc/ssl, nobody tells you who
> you trust.
And for those OS's (who are they, anyhow) that ship empty bundles,
how many CAs do you end up trusting anyhow?
> How about a TXT record with the CN string of the CA cert subject in it?
> If it exists and there's a conflict, don't trust it. Seems simple
> enough to implement without too much collateral damage.
Needs to be a DNSSEC-validated TXT record, or you've opened yourself up
to attacks via DNS poisoning (either insert a malicious TXT that matches your
malicious certificate, or insert a malicious TXT that intentionally *doesn't* match
the vicitm's certificate)....
--==_Exmh_1315816742_28234P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFObcUmcC3lWbTT17ARAkzjAJsFjpJR8yu4o6zHBuoKI0Gx2LFu8wCghMJM
TONzJhF4N+xSri2gyKUdsKw=
=OPGF
-----END PGP SIGNATURE-----
--==_Exmh_1315816742_28234P--
