[dnssec-deployment] DNSSEC and certificates.

[Jakob Schlyter]

On Thu, 20 Jan 2005, Olaf M. Kolkman wrote:

> We discussed vulnarabilities in X.509 that could be solved by using DNSSEC. 
> I am trying to get slideware on that argument for a meeting in two weeks but 
> the only thing that IMHO is 'an attack vector' is people clicking the 'yes' 
> button on one of those "This certificate cannot be trusted" boxes that ones 
> browser pops up if the certificate of a site is not signed by a pre 
> configured certificate.

the question I usually ask people is: why do you buy a certificate from a 
well known CA?

the answer is always (with some rare exception): because we do not want 
the user to see a popup asking them to confirm the site.

we do not (usually) trust CAs because we trust them, we "trust" them 
because our application (e.g. webbrowser) vendor has put them into our 
system. if people really need real security - they would clear the list of 
trusted CAs and add the ones they really trust. right?

so what does the user do when the certificates expire, CA is not known 
(e.g. self-signed certificate) or when the user is the target for a 
man-in-the-middle attack? the popup strikes again. and the user has 
learned one thing - to click ok. why? because errors are more common than 
attacks (or at least, we hope so) and if they do not click ok they cannot 
get down to business.

I say that putting (CA or self-signed) certificates into the DNS and 
looking them up (using DNSSEC) for X.509 path validation when setting up 
the TLS connection would give us a lot. I say it gives us better security 
than what we usually do today. I say the CA people will hate the idea and 
I understand them.

and it is all documented in my old - now expired - draft. copies can be 
provided if people are interested.


 	jakob