[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Slightly OT: What SSL cert do you consider strongest?
- To: Fabian Wenk <fabian@xxxxxxxx>
- Subject: Re: [Full-disclosure] Slightly OT: What SSL cert do you consider strongest?
- From: Jeffrey Walton <noloader@xxxxxxxxx>
- Date: Thu, 24 Oct 2013 04:54:24 -0400
On Wed, Oct 23, 2013 at 11:59 AM, Fabian Wenk <fabian@xxxxxxxx> wrote:
>
> There are steps you could do to protect your customers in the future, as the
> use of such services from the client side is not fully supported yet. Sign
> your DNS zone with DNSSEC and let add the corresponding entries to your
> upstream TLD. But the clients (e.g. customers computers) need also to use
> and check DNSSEC when resolving (this also depends on the upstream name
> server, e.g. from your ISP). And then also add DANE [1] entries into your
> DNS zone for the hostnames which provide SSL or TLS services.
Utilizing DNS just moves the key distribution problem around. Instead
of trusting a CA you're now trusting DNS. In either case, you're still
likely trusting someone (CA or DNS) external to your organization.
Dr. Bernstein has a good time with DNSSEC in his talks. See, for
example, Cryptography Worst Practices,
http://secappdev.org/lectures/144. The entire talk is good, but his
DNSSEC bashing occurs around 14:40 (min:sec).
Jeff
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/