[dnssec-deployment] DNSSEC and certificates.
jakob at rfc.se
Thu Jan 20 17:04:41 EST 2005
On Thu, 20 Jan 2005, Olaf M. Kolkman wrote:
> We discussed vulnarabilities in X.509 that could be solved by using DNSSEC.
> I am trying to get slideware on that argument for a meeting in two weeks but
> the only thing that IMHO is 'an attack vector' is people clicking the 'yes'
> button on one of those "This certificate cannot be trusted" boxes that ones
> browser pops up if the certificate of a site is not signed by a pre
> configured certificate.
the question I usually ask people is: why do you buy a certificate from a
well known CA?
the answer is always (with some rare exception): because we do not want
the user to see a popup asking them to confirm the site.
we do not (usually) trust CAs because we trust them, we "trust" them
because our application (e.g. webbrowser) vendor has put them into our
system. if people really need real security - they would clear the list of
trusted CAs and add the ones they really trust. right?
so what does the user do when the certificates expire, CA is not known
(e.g. self-signed certificate) or when the user is the target for a
man-in-the-middle attack? the popup strikes again. and the user has
learned one thing - to click ok. why? because errors are more common than
attacks (or at least, we hope so) and if they do not click ok they cannot
get down to business.
I say that putting (CA or self-signed) certificates into the DNS and
looking them up (using DNSSEC) for X.509 path validation when setting up
the TLS connection would give us a lot. I say it gives us better security
than what we usually do today. I say the CA people will hate the idea and
I understand them.
and it is all documented in my old - now expired - draft. copies can be
provided if people are interested.
More information about the Dnssec-deployment