Herman: Shipping Rust in Firefox
Herman: Shipping Rust in Firefox
Posted Jul 14, 2016 18:01 UTC (Thu) by Cyberax (✭ supporter ✭, #52523)In reply to: Herman: Shipping Rust in Firefox by Lennie
Parent article: Herman: Shipping Rust in Firefox
Before the root zone was signed, it had been common to sign side chains. And it's still possible to use custom roots of trust for specific TLDs.
It makes little sense for .com (it's managed by the US anyway), but it makes more sense for smaller TLDs.
> No, I meant something like Bitcoin for the root / TLDs might be a good idea.
Might make sense.
Posted Jul 14, 2016 18:28 UTC (Thu)
by Lennie (subscriber, #49641)
[Link] (1 responses)
I don't understand a 100% what you mean, but if you are an attacker you won't be signing a whole TLD if that was what you were implying, you would obviously be doing live signing.
Posted Jul 14, 2016 19:52 UTC (Thu)
by farnz (subscriber, #17727)
[Link]
But, if your operation is to remain stealthy, you need to sign every response I see for the duration of the appropriate TTLs; thus, instead of being only needing to MITM one Internet access session plus compromise one trusted CA (which is all you need in the current CA/B Forum PKI setup), you need to MITM every DNS query I send or receive for a week (that being the TTL of DS records in the root). If you don't, you run the risk that I'll see the "real" key, and discover that there's perfidy afoot.
Herman: Shipping Rust in Firefox
> Before the root zone was signed, it had been common to sign side chains. And it's still possible to use custom roots of trust for specific TLDs.
>
> It makes little sense for .com (it's managed by the US anyway), but it makes more sense for smaller TLDs.
>
Herman: Shipping Rust in Firefox