-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 My question boils down to:
DNS (not DNSSEC) is unauthenticated, and a number of spoofing, poisoning attacks have been shown. One of the goals of the certs is to authenticate the other end of the communications, but I get the impression that this approach gives no extra verification beyond the fact that DNS sent you to the site at some point in time. How does this provide more security than self-signed certs? If you do verification from multiple geographic locations, that may be OK but still seems a bit dodgy. I really like the goal, I feel like I must be missing something here. On 11/19/2014 12:41 PM, Joseph Lorenzo Hall wrote: > Hopefully you've seen the developing description of the protocol here: > > https://github.com/letsencrypt/acme-spec/blob/master/draft-barnes-acme.md > > That sounds like it will soon make its way into IETF for a broader > discussion. I don't see an explicit mechanism that can deal with > poisoning, but it might be that they check a few independent network > views of the record they're verifying. > > I'm CC'ing Richard who has done a lot of the thinking to date... > Richard, not sure if you can post to libtech but happy to intermediate. > > best, Joe > > On 11/19/14, 10:13 AM, Richard Brooks wrote: >> Just looked at this: > >> https://letsencrypt.org/howitworks/technology/ > >> The EFF's new CA to make things cheap and easy for installing >> certs. I like the goal. > >> What I do not get from the description is how they really verify >> that I legitimately own the site. If I should manage to reroute >> some traffic and do DNS cache poisoning on a web-site address, >> wouldn't the system accept my web-site as valid? It seems like they >> are accepting the fact that you can reach the site using DNS >> information (which is not secured) as proof of legitimacy. > >> Or is there something I am missing? > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlRs2ZIACgkQEwFPdUjsHjCmbACffwHoqUwTCk5n+njJBUysaUc9 qjUAnRt9Jr341choZlT4dMYGDikKUOVR =wqjy -----END PGP SIGNATURE----- -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
