| |||||||||||||
DNSSECDNSSECPosted Mar 25, 2010 3:09 UTC (Thu) by martinfick (subscriber, #4455)In reply to: DNSSEC by foom Parent article: Blaze: The Spy in the Middle
Why would the US govt having control over the signing key for .us make interception easier than them having control of N of the M signing keys browsers trust for SSL? Since in one case interception is easy for 100% of the cases that I specified (US domain traffic), and in the other case, interception is only easy for a fraction of the US domain, i.e that fraction of the US sites which are signed by the N US gov. controlled keys. (I hope you don't think the US Govt somehow lacks the ability to sign arbitrary SSL certificates...) Why wouldn't they? Even I can sign any arbitrary key, as long as I can see it. But what good does it do for them or me for intercepting traffic? It is only valuable if they/I can sign it with the key of a CA that others trust.
(Log in to post comments)
DNSSEC Posted Mar 25, 2010 5:38 UTC (Thu) by foom (subscriber, #14868) [Link]
> in the other case, interception is only easy for a fraction of the US domain, i.e that fraction of the
> US sites which are signed by the N US gov. controlled keys.
That's not the case. It's easy for *all* sites on the internet, .US domain or not!
As this article points out, all they need is to have control of the private key for *ONE* CA that web
And, as I tried to say in the message you responded to, I'm pretty certain that some three-letter-
DNSSEC Posted Mar 25, 2010 6:18 UTC (Thu) by martinfick (subscriber, #4455) [Link]
True, it does seem that trusting a certificate signed by any single CA of a
vast list is ripe for abuse.
|
|||||||||||||