On Google's security blog, Ben Laurie looks
at some Google initiatives to improve SSL certificate security. One is a certificate catalog that Google gathers as it spiders the internet, which can be queried via DNS (see the post for details). "The second initiative to discuss is the DANE Working Group at the IETF. DANE stands for DNS-based Authentication of Named Entities. In short, the idea is to allow domain operators to publish information about SSL certificates used on their hosts. It should be possible, using DANE DNS records, to specify particular certificates which are valid, or CAs that are allowed to sign certificates for those hosts. So, once more, if a certificate is seen that isn't consistent with the DANE records, it should be treated with suspicion.
to post comments)