On Feb 26, 2019, at 2:35 PM, Ca By <cb.li...@gmail.com> wrote: > On Tue, Feb 26, 2019 at 1:58 AM Bill Woodcock <wo...@pch.net > <mailto:wo...@pch.net>> wrote: > > On Feb 24, 2019, at 10:03 PM, Hank Nussbacher <h...@efes.iucc.ac.il > > <mailto:h...@efes.iucc.ac.il>> wrote: > > Did you have a CAA record defined and if not, why not? > > It’s something we’d been planning to do but, ironically, we’d been in the > process of switching to Let’s Encrypt, and they were one of the two CAs whose > process vulnerabilities the attackers were exploiting. So, in this > particular case, it wouldn’t have helped. > > I guess the combination of CAA with a very expensive, or very manual, CA, > might be an improvement. But it’s still a band-aid on a bankrupt system. > > We need to get switched over to DANE as quickly as possible, and stop wasting > effort trying to keep the CA system alive with ever-hackier band-aids. > > -Bill > > DNS guy says the solution for insecure DNS is... wait for it.... more DNS ...
Well, no. "DNS guy” (Bill’s a bit more than that, of course) says the solution for a fundamentally broken trust model is a different system to derive trust. Or do you think Let’s Encrypt/Comodo increase trust? Regards, -drc
signature.asc
Description: Message signed with OpenPGP