Matt McCutchen wrote: > > On Thu, 2010-09-16 at 07:27 +0200, Martin Rex wrote: > > Clearly unsafe operations: > > > > - building a reference identifier from the result of a > > DNS CNAME lookup > > > > (the use of DNSSEC does not make this safe) > > Why not? I'm not saying it's good practice, but I don't see an actual > vulnerability.
You need two characteristics: (1) trustworty information source for a name transformation (2) protected access to this trustworthy source DNSSEC meets (2) but not (1) DNSSEC provides only data integrity protection and data origin authentication for the distribution of the informtion, it has zero impact on the quality, accuracy and trustworthyness of the underlying information source. If Wikipedia enables TLS on their web-servers tomorrow so that you can access it through https://www.wikipedia.org/ what impact will this have on the trustworthyness of the information in Wikipedia articles? When there is not change to how others can can access wikipedia and edit the information there, the impact of you using TLS to access wikipedia will have exactly zero _impact_ on the trustworthyness of the information in wikipedia. -Martin _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
