[cryptography] wont CA hackers CA pin also? and other musings (Re: PKI "fixes" that don't fix PKI (part III))
dhuff at jrbobdobbs.org
Sun Sep 11 11:37:27 EDT 2011
On Sep 11, 2011, at 9:25 AM, Thierry Moreau wrote:
> E.g. http://datatracker.ietf.org/wg/dane/ (DNS-based Authentication of Named Entities (dane))
Which makes a huge assumption about DNS SEC that is just not realistic. Namely, the one I just mentioned, that end clients would actually be validating. Meaning that the MITM I mentioned becomes hilariously effective in the vast majority of scenarios where the clients themselves are not doing the validating. Giving a nice illusion of additional verification with no substance.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the cryptography