[191322] in North American Network Operators' Group
Re: Chinese root CA issues rogue/fake certificates
daemon@ATHENA.MIT.EDU (George William Herbert)
Wed Sep 7 19:39:21 2016
X-Original-To: nanog@nanog.org
In-Reply-To: <20160901101951.usbucglng5itramz@nic.fr>
From: George William Herbert <george.herbert@gmail.com>
Date: Wed, 7 Sep 2016 16:39:14 -0700
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
> On Sep 1, 2016, at 3:19 AM, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:=
>=20
> On Thu, Sep 01, 2016 at 11:36:57AM +1000,
> Matt Palmer <mpalmer@hezmatt.org> wrote=20
> a message of 45 lines which said:
>=20
>> I'd be surprised if most business continuity people could even name
>> their cert provider,
>=20
> And they're right because it would be a useless information: without
> DANE, *any* CA can issue a certificate for *your* domain, whether you
> are a client or not.
It's relevant for a different reason; CA health needs to be monitored, and m=
ultiple CAs can (should) be used in case CA A's recognition gets pulled or a=
catastrophe happens. Having certs from CA B then gets you going either imm=
ediately (if you actively use both) or rapidly (if you need to replace certs=
on web / services front end). Getting new ones from CA B in a hurry can be=
a major deal.
Sent from my iPhone=
