[dnssec-deployment] DNSSEC and certificates.
Ólafur Guðmundsson
ogud at ogud.com
Thu Jan 20 14:56:25 EST 2005
Take a look at following article about possible attacks on PKI systems
http://www.acmqueue.org/modules.php?name=Content&pa=showpage&pid=181
At 14:46 20/01/2005, Olaf M. Kolkman wrote:
>We discussed vulnarabilities in X.509 that could be solved by using DNSSEC.
>I am trying to get slideware on that argument for a meeting in two weeks
>but the only thing that IMHO is 'an attack vector' is people clicking the
>'yes' button on one of those "This certificate cannot be trusted" boxes
>that ones browser pops up if the certificate of a site is not signed by a
>pre configured certificate.
>
>Is that the attack one was refering to? Allisson, you had a couple of
>ideas, Would you be willing to talk me through one of these, either
>mail or phone will do.
>
>(I also remember Patrick mentioning vulnarabilities in CN verification of
>certificates, but those are arguments for better implementations
>than for DNSSEC)
>
>(I will be giving a presentation at Domain Pulse in two weeks and would
>like to come with a somewhat compelling example. If all else fail I'll
>probably describe man-in-the-middle mailspoof as a use case.)
>
>#############################################################
>This message is sent to you because you are subscribed to
> the mailing list <dnssec-deployment at shinkuro.com>.
>To unsubscribe, E-mail to: <dnssec-deployment-off at shinkuro.com>
>To switch to the DIGEST mode, E-mail to
><dnssec-deployment-digest at shinkuro.com>
>To switch to the INDEX mode, E-mail to <dnssec-deployment-index at shinkuro.com>
>Send administrative queries to <dnssec-deployment-request at shinkuro.com>
>
More information about the Dnssec-deployment
mailing list