[144493] in North American Network Operators' Group
Re: Microsoft deems all DigiNotar certificates untrustworthy, releases
daemon@ATHENA.MIT.EDU (fredrik danerklint)
Mon Sep 12 16:48:00 2011
From: fredrik danerklint <fredan-nanog@fredan.se>
To: nanog@nanog.org
Date: Mon, 12 Sep 2011 22:42:35 +0200
In-Reply-To: <20110912203159.GA31219@besserwisser.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> > > > How about a TXT record with the CN string of the CA cert subject in
> > > > it? If it exists and there's a conflict, don't trust it. Seems
> > > > simple enough to implement without too much collateral damage.
> > >
> > > Needs to be a DNSSEC-validated TXT record, or you've opened yourself up
> > > to attacks via DNS poisoning (either insert a malicious TXT that
> > > matches your malicious certificate, or insert a malicious TXT that
> > > intentionally *doesn't* match the vicitm's certificate)....
> >
> > And how do you validate the dnssec to make sure that noone has tampered
> > with it.
>
> Since you are from Sweden, and in an IT job, you probably have personal
> relations to someone who has personal relations to one of the swedes
> or other nationalities that were present at the key ceremonies for the
> root. Once you've established that the signatures on the root KSK are good
> (which -- because of the above -- should be doable OOB quite easily for
> you) you can start validating the entire chain of trust.
>
> Quite trivial, in fact.
and how about a end user, who doesn't understand a computer at all, to be able
verify the signatures, correctly?
--
//fredan
