Hi *,
this is just an idea. However it would increase the security of our
crypto system in case a trusted CA has been compromised.
The idea is to implement a DNS lookup of a host whenever a ssl
connection is going to be established. The lookup may search the TXT
record of the domain. This record may contain one or multiple records in
this form:
mydomain.com IN TXT "tls-sec v=1.0 sock=443/tcp crypto=required
fingerprint=00:12:34:..."
mydomain.com IN TXT "tls-sec v=1.0 sock=25/tcp crypto=desired
fingerprint=ab:cd:ef:..."
So the TLS/SSL client is able to check whether there is a need for
encryption on this connection and it is able to doublecheck the
fingerprint of the keypair.
In case a compromized CA has lost its "trusted" signing key, this key is
not able to sign any fraud certificates.
As I introduced - this is just an idea. But I just would like to share
it with you. Feedback is welcome :)
Thanks.
/Mario
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
