[144485] in North American Network Operators' Group
Re: Microsoft deems all DigiNotar certificates untrustworthy, releases
daemon@ATHENA.MIT.EDU (Eliot Lear)
Mon Sep 12 15:56:35 2011
Date: Mon, 12 Sep 2011 21:53:59 +0200
From: Eliot Lear <lear@cisco.com>
To: Jason Duerstock <jason.duerstock@gallaudet.edu>
In-Reply-To: <CAJNn=DNMrGC42i4Q_Wjvz-i9uV_4w1YnfM8vcX4g_wnXLoT=vA@mail.gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 9/12/11 4:32 PM, Jason Duerstock wrote:
> Except that this just shifts the burden of trust on to DNSSEC, which
> also necessitates a central authority of 'trust'. Unless there's an
> explicitly more secure way of storing DNSSEC private keys, this just
> moves the bullseye from CAs to DNSSEC signers.
I said "some", not all, of the responsibility. By adding an independent
PKI there is an additional control put in place to confirm that in fact
the signer is authorized to sign. Should one go as far as to remove CA
caches from browsers altogether?
Eliot
