On Wed, Oct 23, 2013 at 11:59 AM, Fabian Wenk <fab...@wenks.ch> wrote: > > There are steps you could do to protect your customers in the future, as the > use of such services from the client side is not fully supported yet. Sign > your DNS zone with DNSSEC and let add the corresponding entries to your > upstream TLD. But the clients (e.g. customers computers) need also to use > and check DNSSEC when resolving (this also depends on the upstream name > server, e.g. from your ISP). And then also add DANE [1] entries into your > DNS zone for the hostnames which provide SSL or TLS services. Utilizing DNS just moves the key distribution problem around. Instead of trusting a CA you're now trusting DNS. In either case, you're still likely trusting someone (CA or DNS) external to your organization.
Dr. Bernstein has a good time with DNSSEC in his talks. See, for example, Cryptography Worst Practices, http://secappdev.org/lectures/144. The entire talk is good, but his DNSSEC bashing occurs around 14:40 (min:sec). Jeff _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/