[cryptography] Request - PKI/CA History Lesson - the definition of trust

Greg greg at kinostudios.com
Sun May 4 21:34:47 EDT 2014


On May 4, 2014, at 6:39 PM, Jeffrey Goldberg <jeffrey at goldmark.org> wrote:

> On 2014-05-03, at 3:22 AM, <pjklauser at gmail.com> <pjklauser at gmail.com> wrote:
> 
>> Frankly, if we could "trust" in DNS, we would not need to "trust" in
>> web-PKIX [2] - since the one is just the bandaid for the other.
> 
> Have you forgotten that routing can be subverted?
> 
> Just because you are talking to the right IP address doesn’t mean
> you are talking the right host.

That is why signatures exist. With DNSChain and DNSCrypt, for example, you will know whether you're talking to the right host, and no IP-based routing or filtering can affect that.

Cheers,
Greg

--
Please do not email me anything that you are not comfortable also sharing with the NSA.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20140504/82dcee95/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20140504/82dcee95/attachment.asc>


More information about the cryptography mailing list