User: Password:
Subscribe / Log in / New account

Fraudulent certificates in the wild — again

Fraudulent certificates in the wild — again

Posted Jan 5, 2013 22:19 UTC (Sat) by paulj (subscriber, #341)
In reply to: Fraudulent certificates in the wild — again by kleptog
Parent article: Fraudulent certificates in the wild — again

There is a simple solution to this, for certs that authenticate domains: publish the certs in DNSSec signed records. This automatically aligns the trust hierarchy of the certificates with that of the objects the certificates belong to, by re-using the trust hierarchy attesting to the validity of those objects.

Of course, it means the CA business model for domain names becomes obsolete, and only needed to support legacy applications.

(Log in to post comments)


Posted Jan 6, 2013 16:38 UTC (Sun) by tialaramex (subscriber, #21167) [Link]

And in fact work on the standards to make this happen is already done, as RFC 6698 - DANE, DNS Authentication of Named Entities for SSL / TLS protected services like HTTPS or IMAPS

For SSH it not only exists, as the SSHFP record but the software to support it is widely deployed (modern OpenSSH), if your organisation has DNSSEC signed DNS records and a vaguely modern resolver on machines that run SSH clients then you can put the public key signatures into DNS and throw away all those known_hosts files that are such a pain to maintain and distribute on big networks.

Actually getting DANE supported is a problem. Mozilla has sat on a Firefox patch for about a year, Internet Explorer would probably only introduce support if it became a Must Have for some reason. The bigger the dinosaur the more tempting it is to preserve the status quo, no matter how miserable that is for users.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds