[cryptography] Request - PKI/CA History Lesson - the definition of trust

John Levine johnl at iecc.com
Sun May 4 21:50:20 EDT 2014


In article <EB40B06C-907F-42EE-BE88-45361561E734 at goldmark.org> you write:
>On 2014-05-03, at 3:22 AM, <pjklauser at gmail.com> <pjklauser at gmail.com> wrote:
>
>> Frankly, if we could "trust" in DNS, we would not need to "trust" in
>> web-PKIX [2] - since the one is just the bandaid for the other.
>
>Have you forgotten that routing can be subverted?
>
>Just because you are talking to the right IP address doesn’t mean
>you are talking the right host.

Sure, but if the cert it presents has the hash in the DNSSEC signed
DANE record, it does.

R's,
John


More information about the cryptography mailing list