Boris Zbarsky wrote:
Alaric Dailey wrote:
If DNS were secure, then attempts to use a stolen cert would be thwarted.
Not particularly. As someone pointed out, anyone who steals a cert and
can affect the routing of your packets can screw you.
Not if we were to strengthen the rules by saying that certs (or certain
classes of certs) had to have their fingerprints validated by a
DNSSEC-verified DNS record that has the cert fingerprint and was valid
for a period of N or fewer days including the present.
That said, I don't think stolen certs are the top problem to be worrying
about.
Even so, DNSSEC could provide a simpler replacement (fewer
intermediaries) for domain validation certs and other things where
domain validation rather than identity validation is important (such as
email relaying, and sometimes even user connections to sites whose
hostname was established in other reliable ways). It could also (as
above) be used as a double-check of the domain validation aspects of
other certs, although I'm a little more skeptical of the value there.
-David
--
L. David Baron <URL: http://dbaron.org/ >
Technical Lead, Layout & CSS, Mozilla Corporation
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
