People keep referring to the 100+ vendor CA jungle. It is somewhat
impolite to point it out, but there are very few major vendors in this
space, and these vendors have been implicated in some of the most
publicized attacks. In some cases, hiding behind a "low-cost" brand name.
In other words, the problem with the TLS PKI is not (only) the small fish.
Thanks,
Yaron
On 10/05/2010 02:46 AM, Martin Rex wrote:
[...]
Conceptually, limiting the certificates that can be used to provide
servers on specific DNS hostnames to certificates explicitly listed
by the DNS admin would significantly reduce the huge attack surface
of the existing "TLS PKI" with>100 independent pre-configured
trust-anchors in most TLS client software.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
