On 01/13/2014 11:26 AM, Elmar Stellnberger via RT wrote: > Webkit browsers and many other openssl based programs like ssh would already > like to make use of DNSSEC. AFAIK DNSSEC has already been standardized and > would therefore be free to be implemented by openssl. DNSSEC could overcome > many of the weaknesses in the current certificate management workflow.
DNSSEC on its own seems unlikely to fix any problems in certificate
management.
DNSSEC coupled with some of the DANE proposals seems more likely to be
able to provide augmented verification mechanisms for X.509 certificates
encountered by OpenSSL. However, please don't think that DANE will
solve the problem of certificate validation entirely; it just moves the
problem into the DNS, which powerful attackers have already shown
willingness to compromise directly.
I'm not saying DANE is a bad idea, but it is not a silver bullet.
--dkg
signature.asc
Description: OpenPGP digital signature
