[144487] in North American Network Operators' Group
Re: Microsoft deems all DigiNotar certificates untrustworthy, releases
daemon@ATHENA.MIT.EDU (=?utf-8?B?TcOlbnM=?= Nilsson)
Mon Sep 12 16:34:05 2011
Date: Mon, 12 Sep 2011 22:31:59 +0200
From: =?utf-8?B?TcOlbnM=?= Nilsson <mansaxel@besserwisser.org>
To: fredrik danerklint <fredan-nanog@fredan.se>
In-Reply-To: <201109121146.04313.fredan-nanog@fredan.se>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--jI8keyz6grp/JLjh
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Subject: Re: Microsoft deems all DigiNotar certificates untrustworthy, rele=
ases Date: Mon, Sep 12, 2011 at 11:46:04AM +0200 Quoting fredrik danerklint=
(fredan-nanog@fredan.se):
> > > How about a TXT record with the CN string of the CA cert subject in i=
t?
> > > If it exists and there's a conflict, don't trust it. Seems simple
> > > enough to implement without too much collateral damage.
> >=20
> > Needs to be a DNSSEC-validated TXT record, or you've opened yourself up
> > to attacks via DNS poisoning (either insert a malicious TXT that matches
> > your malicious certificate, or insert a malicious TXT that intentionally
> > *doesn't* match the vicitm's certificate)....
>=20
> And how do you validate the dnssec to make sure that noone has tampered w=
ith=20
> it.
Since you are from Sweden, and in an IT job, you probably have personal
relations to someone who has personal relations to one of the swedes
or other nationalities that were present at the key ceremonies for the
root. Once you've established that the signatures on the root KSK are good
(which -- because of the above -- should be doable OOB quite easily for
you) you can start validating the entire chain of trust.
Quite trivial, in fact.=20
--=20
M=C3=A5ns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Am I in GRADUATE SCHOOL yet?
--jI8keyz6grp/JLjh
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk5ubD8ACgkQ02/pMZDM1cWzvgCgo9N1wdrL2rMekKBMaynfOoKu
eYYAnjuxKt8kgPWNdJNIM6N3rqH12TMY
=iklC
-----END PGP SIGNATURE-----
--jI8keyz6grp/JLjh--
