ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Using DNS system as a Global Root Certificate Authority - possible ?

2015-12-27 19:42:16
from [Masataka Ohta] [Permanent Link] 
Phillip Hallam-Baker wrote:


One of the issues people don't seem to consider in these schemes is
that merely reducing the number of trusted intermediaries from ~40 to
one doesn't actually remove reliance on trusted third parties,


That is, DNSSEC is not secure at all. Just as plain DNS is vulnerable
to active attacks on communication channels, DNSSEC is so on CA
chains.

Viktor Dukhovni wrote:


It hasn't been "are you who say you are" for quite some time, not
the vast majority of certificates.  EV certificates are rather rare
with the exception of some of largest sites.  Certainly the "Let's
Encrypt" CA will not do anything resembling "are you who you say
you are".


We don't need CA for encryption, because DH is good enough. Though
DH is vulnerable to active attacks on communication channels, CA is
so on CA chains.

                                                Masataka Ohta
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Gen-ART LC review of draft-ietf-dnsop-cookies-08, Peter Yee
Next by Date:  Re: FW: [Recentattendees] IETF 95 Hackathon in Buenos Aires, Alejandro Acosta
Previous by Thread:  Re: Using DNS system as a Global Root Certificate Authority - possible ?, Viktor Dukhovni
Next by Thread:  Re: Using DNS system as a Global Root Certificate Authority - possible ?, Patrik Fältström
Indexes:  [Date] [Thread] [Top] [All Lists]