|
|
Subscribe / Log in / New account

Google: Maintaining digital certificate security

Google: Maintaining digital certificate security

Posted Mar 24, 2015 16:36 UTC (Tue) by flussence (guest, #85566)
In reply to: Google: Maintaining digital certificate security by Aissen
Parent article: Google: Maintaining digital certificate security

It's not all about decreasing the number of anchors, but decreasing possible points of breach.

DANE as currently specced can be used in two ways: ignore a compliant user-agent's pre-trusted CA list entirely (leaving the DNS as the sole chain of trust), or augment it as a whitelist where the TLSA records have to match the site and CA certificates presented.

The latter would require an attacker to not only MITM with a "trusted" certificate in the browser's store, but also do the same for DNSSEC.

to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds