[144457] in North American Network Operators' Group
Re: Why are we still using the CA model? (Re: Microsoft deems all
daemon@ATHENA.MIT.EDU (Randy Bush)
Mon Sep 12 11:13:11 2011
Date: Mon, 12 Sep 2011 17:12:24 +0200
From: Randy Bush <randy@psg.com>
To: Michael Thomas <mike@mtcc.com>
In-Reply-To: <4E6E20C7.9030905@mtcc.com>
Cc: North American Network Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
>> as eliot pointed out, to defeat dane as currently written, you would
>> have to compromise dnssec at the same time as you compromised the CA at
>> the same time as you ran the mitm. i.e. it _adds_ dnssec assurance to
>> CA trust.
> Yes, I saw that. It also drives up complexity too and makes you wonder
> what the added value of those cert vendors is for the money you're
> forking over. Especially when you consider the criticality of dns
> naming for everything except web site host names using tls. And how
> long would it be before browsers allowed
> self-signed-but-ok'ed-using-dnssec-protected-cert-hashes?
agree
