[clug] the new SSL :-)

Daniel Pittman daniel at rimspace.net
Fri Mar 26 06:34:49 MDT 2010

Daniel Black <daniel.subs at internode.on.net> writes:

>> (see also: http://www.ietf.org/rfc/rfc5081.txt)
> or as a barely thought though proposal some X509 cert cryptographicly tied
> to a DNSSEC key of the domain.

...at which point you are trusting the DNS root, which is often run by the
government, and is certainly run at the fiat of the government.  That puts
them in a ... poor negotiating position to resist pressure to cooperate...

> I'm assuming some aspect of DNSSEC keys can be under exclusive possession of
> domain controller else this can't apply.

Well, the key can, but the chain of trust from the root involves keys outside
your control.

If the attacker can get the upstream key they can forge the glue, which can in
turn supply a fake key in place of yours, and you lose.


✣ Daniel Pittman            ✉ daniel at rimspace.net            ☎ +61 401 155 707
               ♽ made with 100 percent post-consumer electrons

More information about the linux mailing list