On 5 November 2013 00:00, Dan York <[email protected]> wrote: > But I want to detect the bad cert *before* someone goes to a site (or in > the process of going to a site). I agree that this capability of tracking > issued certs would be VERY useful in detection of compromised certs... but > this doesn't necessarily seem to me something that can work in real-time. > It can be something used to figure out what happened after-the-fact... but > in the meantime someone has already gone to to the bad site that they > thought was legit. > > The advantage of DNSSEC/DANE is that the bogus cert can be detected before > someone actually goes to the site. If the fingerprint of the cert stored > in the TLSA record (and signed with DNSSEC) doesn't match the fingerprint > of the cert being offered by the server... then the app knows there is a > problem.
However. there are several real-world downsides. Most glaring: 1. In quite a lot of cases (experiments suggest around 4%), clients cannot fetch DNSSEC records (nor TLSA records). 2. DNSSEC has its equivalent of CAs: registries and registrars. Their track records on misissuance are not better than CAs. _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
