[dnssec-deployment] DNSSEC and certificates.

[Doug Barton]

The attack vector I'm most concerned about is the one where the attacker
obtains a valid certificate, and then spoofs DNS to direct traffic to his
bogus site. There is no way for the average user to protect themselves
against this attack.

Vectors for obtaining a valid cert are many, a disgruntled former employee,
cracking a poorly protected web server, CA error (e.g., the microsoft case
with VeriSign a while back), etc. etc.

HTH,

Doug

-- 
Doug Barton
General Manager, The Internet Assigned Numbers Authority