[144454] in North American Network Operators' Group
Re: Why are we still using the CA model? (Re: Microsoft deems all
daemon@ATHENA.MIT.EDU (Randy Bush)
Mon Sep 12 10:58:29 2011
Date: Mon, 12 Sep 2011 16:57:44 +0200
From: Randy Bush <randy@psg.com>
To: Michael Thomas <mike@mtcc.com>
In-Reply-To: <4E6E1D05.3050902@mtcc.com>
Cc: North American Network Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
>> with dane, i trust whoever runs dns for citibank to identify the cert
>> for citibank. this seems much more reasonable than other approaches,
>> though i admit to not having dived deeply into them all.
> If the root DNS keys were compromised in an all DNS rooted world...
> unhappiness would ensue in great volume.
as eliot pointed out, to defeat dane as currently written, you would
have to compromise dnssec at the same time as you compromised the CA at
the same time as you ran the mitm. i.e. it _adds_ dnssec assurance to
CA trust.
randy
