[144440] in North American Network Operators' Group


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

daemon@ATHENA.MIT.EDU (fredrik danerklint)
Mon Sep 12 05:50:11 2011

From: fredrik danerklint <fredan-nanog@fredan.se>
To: nanog@nanog.org
Date: Mon, 12 Sep 2011 11:46:04 +0200
In-Reply-To: <167272.1315816743@turing-police.cc.vt.edu>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org

> > How about a TXT record with the CN string of the CA cert subject in it?
> > If it exists and there's a conflict, don't trust it.  Seems simple
> > enough to implement without too much collateral damage.
> 
> Needs to be a DNSSEC-validated TXT record, or you've opened yourself up
> to attacks via DNS poisoning (either insert a malicious TXT that matches
> your malicious certificate, or insert a malicious TXT that intentionally
> *doesn't* match the vicitm's certificate)....

And how do you validate the dnssec to make sure that noone has tampered with 
it.

-- 
//fredan


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[144440] in North American Network Operators' Group

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

daemon@ATHENA.MIT.EDU (fredrik danerklint)Mon Sep 12 05:50:11 2011

daemon@ATHENA.MIT.EDU (fredrik danerklint)
Mon Sep 12 05:50:11 2011