[cryptography] wont CA hackers CA pin also? and other musings (Re: PKI "fixes" that don't fix PKI (part III))

Douglas Huff dhuff at jrbobdobbs.org
Sun Sep 11 11:37:27 EDT 2011


On Sep 11, 2011, at 9:25 AM, Thierry Moreau wrote:
> 
> E.g. http://datatracker.ietf.org/wg/dane/ (DNS-based Authentication of Named Entities (dane))

Which makes a huge assumption about DNS SEC that is just not realistic. Namely, the one I just mentioned, that end clients would actually be validating. Meaning that the MITM I mentioned becomes hilariously effective in the vast majority of scenarios where the clients themselves are not doing the validating. Giving a nice illusion of additional verification with no substance.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20110911/3d645c77/attachment.asc>


More information about the cryptography mailing list