Re: Disappointing ARIN - A great advertisement for the USA ?

On Mon, Sep 12, 2011 at 10:15:10PM -0500, Ryan Gelobter wrote: > I e-mailed Marco (md) the creator of 'whois' back in July when this started > and he stated he was going to try to work around the rWHOIS issue in the > next release. Sadly there hasn't been a new release yet but I am hopeful.

Re: Disappointing ARIN - A great advertisement for the USA ?

On Mon, 2011-09-12 at 20:07 -0700, Michael Sinatra wrote: > Unfortunately, the original poster, against advice given to him, > posted an insulting, jingoistic, inane, and even more derogatory > version of his NANOG post, apparently in an effort to spur discussion. > What was once a legitimate iss

Re: Disappointing ARIN - A great advertisement for the USA ?

I e-mailed Marco (md) the creator of 'whois' back in July when this started and he stated he was going to try to work around the rWHOIS issue in the next release. Sadly there hasn't been a new release yet but I am hopeful.

Re: Disappointing ARIN - A great advertisement for the USA ?

On 09/12/11 17:49, Jimmy Hess wrote: I think arin-discuss would be a better place for this than arin-ppml. You're suggesting using ARIN's private members-only mailing list over a public one? That doesn't make sense, because this is a public issue, not a members issue. PPML isn't right either, t

Re: vyatta for bgp

On 9/12/2011 3:12 PM, Dobbins, Roland wrote: On Sep 13, 2011, at 2:45 AM, Owen DeLong wrote: In your typical enterprise environment, a 1G DoS will zorch the link long before it zorches the router at the enterprise side. This contradicts my experience - I've repeatedly witnessed only a few mb/

Re: vyatta for bgp

On Mon, Sep 12, 2011 at 2:35 PM, Nick Hilliard wrote: > I presume by "a fair amount", I presume you mean "barely any"? > At large packet sizes, an "enterprise level" router will just about handle > a 1G DoS attack.  Thing is, bandwidth DoS / DDoS is sufficiently easy to [snip] How much "zorching"

RE: Saudi Telecom sending route with invalid attributes 212.118.142.0/24

Could be this..? http://www.juniper.net/techpubs/en_US/junos11.2/topics/reference/configuration-statement/independent-domain-edit-routing-options.html "unrecognized transitive attributes" depend on whatever code version you are running... What's more important is how the unrecoginized attrib

Re: vyatta for bgp

> On Sep 13, 2011, at 2:45 AM, Roland Dobbins wrote: > This contradicts my experience - I've repeatedly witnessed only a few mb/sec > of 64-byte packets making software-based routers fall over, including just > last month. It's easy to get 6Mpps using Vyatta or most other software based router

Re: EV SSL Certs

On Mon, Sep 12, 2011 at 11:39 PM, Jimmy Hess wrote: > On Mon, Sep 12, 2011 at 7:08 AM, Coy Hile wrote: >> As an academic aside, exactly what would one set on his (internal) >> root CA so that internally-trusted certs signed by that CA would show >> up as EV certs? > > This is not possible without

Re: Disappointing ARIN - A great advertisement for the USA ?

>>I think arin-discuss would be a better place for this than arin-ppml. You're suggesting using ARIN's private members-only mailing list over a public one? That doesn't make sense, because this is a public issue, not a members issue. PPML isn't right either, that's a numbering policy discussion li

Re: EV SSL Certs

On Mon, Sep 12, 2011 at 7:08 AM, Coy Hile wrote: > As an academic aside, exactly what would one set on his (internal) > root CA so that internally-trusted certs signed by that CA would show > up as EV certs? This is not possible without changing browser source code and recompiling (or debugging/e

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Mon, Sep 12, 2011 at 6:23 AM, Gregory Edigarov wrote: > I.e. instead of a set of trusted CAs there will be one distributed net > of servers, that act as a cert storage? > I do not see how that could help... More lines of defense on top of the CA model. Consider instead of abandoning the CA mode

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Mon, Sep 12, 2011 at 11:00:47PM +0100, Tony Finch wrote: > Note that a big weak point in the DNS is the interface between the > registrars and the registry. If you have a domain you have to trust the > registry to impose suitable restrictions on its registrars to prevent a > dodgy registrar from

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

Tony, Thanks for this explanation! I think this is what I've been looking for regarding securing DNSSEC. > > and how about a end user, who doesn't understand a computer at all, to > > be able verify the signatures, correctly? > > The current trust model for DNSSEC relies on the vendor of the

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

> > > > with dane, i trust whoever runs dns for citibank to identify the cert > > > > for citibank. this seems much more reasonable than other approaches, > > > > though i admit to not having dived deeply into them all. > > > If the root DNS keys were compromised in an all DNS rooted world... > >

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

fredrik danerklint wrote: > > and how about a end user, who doesn't understand a computer at all, to > be able verify the signatures, correctly? The current trust model for DNSSEC relies on the vendor of the validator to bootstrap trust in the root key. This is partly a matter of pragmatism since

Re: [NANOG-announce] NANOG 53 draft agenda available

Sure. NANOG support can you update please? Thanks, Dave On Mon, Sep 12, 2011 at 2:40 PM, Aaron Hughes wrote: > David, > > I am also running the Peering Track (which will be good for IXs and such to > know to contact me ahead of time). Can you please add 'Aaron Hughes, CTO > 6connect' to the

Re: vyatta for bgp

On 12/09/2011 20:45, Owen DeLong wrote: > In your typical enterprise environment, a 1G DoS will zorch the link long > before it zorches the router at the enterprise side. It sure will, unless you have multiple 1G links into your router, in which case the ddos will effectively trash all the links.

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

Mike Jones wrote: > > DNSSEC deployment is advanced enough now to do that automatically at the > client. Sadly not quite. DNSSEC does have the potential to provide an alternative public key infrastructure, and I'm keen to see that happen. But although it works well between authoritative servers a

Re: vyatta for bgp

Brent, On Mon, Sep 12, 2011 at 11:13 PM, Brent Jones wrote: > Lots of devices can have trouble if you direct high PPS to the control > plane, and will exhibit performance degradation, leading up to a DoS > eventually. > That isn't limited to software based routers at all, it will impact > dedicat

Re: Disappointing ARIN - A great advertisement for the USA ?

> I'm not sure if all of NANOG wants to hear about the various behaviors > of different whois clients dealing with different whois servers around > the globe. i doubt if there is anything which *all* of nanog wants to hear. but i suspect a damned lot of us care about whois behavior, as we either

[NANOG-announce] NANOG 53 draft agenda available

Please see http://www.nanog.org/meetings/nanog53/agenda.html. Note that the Loews room block expires on 09/23/2011. Note also that the standard registration fee runs through 10/04/2011. Looking forward to seeing you in Philadelphia. Thanks, Dave (for the NANOG PC)

Re: vyatta for bgp

On Sep 13, 2011, at 4:13 AM, Brent Jones wrote: > A high end ASIC can handle millions/tens of millions PPS, but directed > to the control plane (which is often a general purpose CPU as well, > Intel or PowerPC), probably not in most scenarios. CoPP. --

Re: Disappointing ARIN - A great advertisement for the USA ?

On 9/12/11 4:58 PM, "Michael Sinatra" wrote: >On 09/12/11 10:13, Always Learning wrote: > >> Primarily IP ranges to block and/or abuse email addresses. >> >>> https://www.arin.net/participate/mailing_lists/ >> >> Thank you. I will try it. >> >>> Oh, and there they also like to see your real na

Re: vyatta for bgp

On Mon, Sep 12, 2011 at 1:52 PM, Dobbins, Roland wrote: > On Sep 13, 2011, at 3:43 AM, Everton Marques wrote: > >> Would Cisco ISR G2 3925E classify as software-based router? > > Yes. > >> Do you expect it to bend itself down under a few Mbps of 64-byte packets? > > Especially if they're directed

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Mon, 12 Sep 2011, Gregory Edigarov wrote: > On Mon, 12 Sep 2011 12:12:08 +0200 > Martin Millnert wrote: > > > Mike, > > > > On Sun, Sep 11, 2011 at 8:44 PM, Mike Jones wrote: > > > It will take a while to get updated browsers rolled out to enough > > > users for it do be practical to start

Re: Disappointing ARIN - A great advertisement for the USA ?

>> Now, I agree on the part that ARIN should be doing RPSL, or even >> more, just start using the RIPE whois server for serving their data. > Now wait one moment until I bog you down with 20 years worth of legacy > paranoia, "Not Invented Here" and useless history about why this > shouldn't ever ha

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

Subject: Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Date: Mon, Sep 12, 2011 at 10:42:35PM +0200 Quoting fredrik danerklint (fredan-na...@fredan.se): > > Quite trivial, in fact. > > and how about a end user, who doesn't understand a computer at all, to be > able > v

Re: Disappointing ARIN - A great advertisement for the USA ?

On 09/12/11 10:13, Always Learning wrote: Primarily IP ranges to block and/or abuse email addresses. https://www.arin.net/participate/mailing_lists/ Thank you. I will try it. Oh, and there they also like to see your real name and not a junk mail address. Just like on the RIPE mailinglis

Re: vyatta for bgp

On Sep 13, 2011, at 3:43 AM, Everton Marques wrote: > Would Cisco ISR G2 3925E classify as software-based router? Yes. > Do you expect it to bend itself down under a few Mbps of 64-byte packets? Especially if they're directed at the router itself, at some point, sure - though the ISR2 certainl

Re: vyatta for bgp

Thanks for the all the feed-back. We will only have two ipv4 BGP peers (both 5mb/sec links) to the same ISP. We are doing BGP because we plan to add a second ISP at one of our locations in the future. We are not any near a large enterprise, this will be replacing two DSL lines and a T1.

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

> > > > How about a TXT record with the CN string of the CA cert subject in > > > > it? If it exists and there's a conflict, don't trust it. Seems > > > > simple enough to implement without too much collateral damage. > > > > > > Needs to be a DNSSEC-validated TXT record, or you've opened yoursel

Re: vyatta for bgp

On Mon, Sep 12, 2011 at 5:12 PM, Dobbins, Roland wrote: > On Sep 13, 2011, at 2:45 AM, Owen DeLong wrote: > >> In your typical enterprise environment, a 1G DoS will zorch the link long >> before it zorches the router at the enterprise side. > > This contradicts my experience - I've repeatedly wit

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

On Mon, 12 Sep 2011 22:31:59 +0200, Måns Nilsson said: > Since you are from Sweden, and in an IT job, you probably have personal > relations to someone who has personal relations to one of the swedes > or other nationalities that were present at the key ceremonies for the > root. Once you've estab

Re: vyatta for bgp

On Sep 13, 2011, at 3:34 AM, Chuck Church wrote: > Is the concern over a DDOS aimed against the router itself, or just massive > flows passing through? Yes, but mainly the former. ;> --- Roland Dobbins //

Re: vyatta for bgp

On Mon, 12 Sep 2011 20:12:43 -, "Dobbins, Roland" said: > This contradicts my experience - I've repeatedly witnessed only a few mb/sec > of 64-byte packets making software-based routers fall over, including just > last > month. On the flip side, there's a *lot* of sites that have to make trad

RE: vyatta for bgp

Original Message- From: Dobbins, Roland [mailto:rdobb...@arbor.net] Sent: Monday, September 12, 2011 2:56 PM To: North American Network Operators' Group Subject: Re: vyatta for bgp >zorched. --- Zorch. I like that. So

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

Subject: Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Date: Mon, Sep 12, 2011 at 11:46:04AM +0200 Quoting fredrik danerklint (fredan-na...@fredan.se): > > > How about a TXT record with the CN string of the CA cert subject in it? > > > If it exists and there's a conflict,

Re: vyatta for bgp

On Sep 13, 2011, at 2:45 AM, Owen DeLong wrote: > In your typical enterprise environment, a 1G DoS will zorch the link long > before it zorches the router at the enterprise side. This contradicts my experience - I've repeatedly witnessed only a few mb/sec of 64-byte packets making software-base

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On 9/12/11 4:32 PM, Jason Duerstock wrote: > Except that this just shifts the burden of trust on to DNSSEC, which > also necessitates a central authority of 'trust'. Unless there's an > explicitly more secure way of storing DNSSEC private keys, this just > moves the bullseye from CAs to DNSSEC s

Re: vyatta for bgp

On Sep 12, 2011, at 12:35 PM, Nick Hilliard wrote: > On 12/09/2011 20:08, Michael K. Smith - Adhost wrote: >> How do you come to this conclusion? I think a software-based router for >> enterprise level (let's say on the 1G per provider level) can handle a >> fair amount of zorching. > > I presu

Re: vyatta for bgp

On Mon, Sep 12, 2011 at 2:42 PM, Ben Albee wrote: > Does anybody currently use vyatta as a bgp router for their company? If > so have you ran into any problems with using that instead of a cisco or > juniper router? > > There was a bug where you couldn't use two IPv4 peers and then add IPv6. I ha

Re: vyatta for bgp

On Sep 13, 2011, at 2:08 AM, Michael K. Smith - Adhost wrote: > How do you come to this conclusion? Unhappy experiences. ;> > I think a software-based router for enterprise level (let's say on the 1G > per provider level) can handle a fair amount of zorching. My experiences indicates otherwi

Re: vyatta for bgp

On 12/09/2011 20:08, Michael K. Smith - Adhost wrote: > How do you come to this conclusion? I think a software-based router for > enterprise level (let's say on the 1G per provider level) can handle a > fair amount of zorching. I presume by "a fair amount", I presume you mean "barely any"? At la

RE: vyatta for bgp

> -Original Message- > From: Dobbins, Roland [mailto:rdobb...@arbor.net] > Sent: Monday, September 12, 2011 11:56 AM > To: North American Network Operators' Group > Subject: Re: vyatta for bgp > > On Sep 13, 2011, at 1:42 AM, Ben Albee wrote: > > > Does anybody currently use vyatta as a b

Re: vyatta for bgp

> The days of public-facing software-based routers were over years ago - you > need an ASIC-based edge router, else you'll end up getting zorched. wait, what? -- //fredan

Re: vyatta for bgp

On Sep 13, 2011, at 1:42 AM, Ben Albee wrote: > Does anybody currently use vyatta as a bgp router for their company? The days of public-facing software-based routers were over years ago - you need an ASIC-based edge router, else you'll end up getting zorched. ---

vyatta for bgp

Does anybody currently use vyatta as a bgp router for their company? If so have you ran into any problems with using that instead of a cisco or juniper router?

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On 12 September 2011 18:39, Robert Bonomi wrote: > Seriously, about the only way I see to ameliorate this kind of problem is > for people to use self-signed certificates that are then authenticated > by _multiple_ 'trust anchors'.  If the end-user world raises warnings > for a certificate 'authent

Re: Disappointing ARIN - A great advertisement for the USA ?

On Mon, Sep 12, 2011 at 12:53:47PM -0400, Jon Lewis wrote: > Prepending the query with a + "works" for me, in that I get the expected > data, but there's additional unexpeced data (full record for the Parent, > even if the Parent is just an ARIN /8) in the output that will probably > still cause

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Mon, Sep 12, 2011 at 1:39 PM, Robert Bonomi wrote: > >> Date: Mon, 12 Sep 2011 11:22:11 -0400 >> Subject: Re: Microsoft deems all DigiNotar certificates untrustworthy, >>  releases updates >> From: Christopher Morrow >> >> I think I need a method that the service operator can use to signal to

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Mon, Sep 12, 2011 at 7:09 AM, Martin Millnert wrote: > > Something similar, including use of purchased (not only limited to > stolen certs), is ongoing already, all of the time. (I had a fellow > IRC-chat-friend report from a certain very western-allied middle > eastern country that there's I

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

> Date: Mon, 12 Sep 2011 11:22:11 -0400 > Subject: Re: Microsoft deems all DigiNotar certificates untrustworthy, > releases updates > From: Christopher Morrow > > I think I need a method that the service operator can use to signal to my > user-client outside the certificate itself that the cert

Re: Disappointing ARIN - A great advertisement for the USA ?

On 12/09/2011 17:17, Jeroen Massar wrote: > You are confusing RPSL (RFC2650) with WHOIS (RFC812,RFC954,RFC3912). and you are confusing RPSL with RIPE-181 syntax. RIPE-181 and its grandchildren is a specification for whois information. RPSL is a routing policy language which uses ripe-181 format.

Re: Disappointing ARIN - A great advertisement for the USA ?

On Mon, 12 Sep 2011, Christopher Morrow wrote: my guess is that ARIN is hoping folks turn to the actual RESTful interface for many scripted purposes...I keep expecting to see some example python/perl/etc off: Should I change my code to par

Re: Disappointing ARIN - A great advertisement for the USA ?

On Mon, 2011-09-12 at 18:17 +0200, Jeroen Massar wrote: > On 2011-09-12 17:40 , Always Learning wrote: > > Dear person who is to scared to setup a regular email account in his own > full name. Beste Fuzzel, Mijn naam is Paul. It was at the bottom of my posting. Sorry I have never ever had a Ho

Re: Disappointing ARIN - A great advertisement for the USA ?

On Mon, Sep 12, 2011 at 12:53 PM, Jon Lewis wrote: > On Mon, 12 Sep 2011, Eric Krichbaum wrote: > >> That was on June 25th according to Mark Kosters.  They started to answer >> with both the parent and delegated objects.  That hosed the way RWHOIS >> data >> was being reported to most things as th

RE: Disappointing ARIN - A great advertisement for the USA ?

On Mon, 12 Sep 2011, Eric Krichbaum wrote: That was on June 25th according to Mark Kosters. They started to answer with both the parent and delegated objects. That hosed the way RWHOIS data was being reported to most things as the client won't know which to send through to the rwhois servers.

RE: Disappointing ARIN - A great advertisement for the USA ?

That was on June 25th according to Mark Kosters. They started to answer with both the parent and delegated objects. That hosed the way RWHOIS data was being reported to most things as the client won't know which to send through to the rwhois servers. Still works from an old SCO box but not from

Re: Disappointing ARIN - A great advertisement for the USA ?

On Mon, 2011-09-12 at 12:32 -0400, Jon Lewis wrote: > No he's not. He's complaining that sometime in the past few weeks (or is > it months now?) ARIN changed the behavior of their whois server. New > output for the query 209.208.0.1 is (omitting comments): > > Internet Connect Company, Inc.

Re: Disappointing ARIN - A great advertisement for the USA ?

On Mon, 12 Sep 2011, Jeroen Massar wrote: On 2011-09-12 17:40 , Always Learning wrote: Dear person who is to scared to setup a regular email account in his own full name. [..] The Internet was created in North America. Many people around the world would appreciate your help in getting ARIN to

Re: Disappointing ARIN - A great advertisement for the USA ?

On 2011-09-12 17:40 , Always Learning wrote: Dear person who is to scared to setup a regular email account in his own full name. [..] > The Internet was created in North America. Many people around the world > would appreciate your help in getting ARIN to revert to normal WHOIS > displays. ARIN w

Disappointing ARIN - A great advertisement for the USA ?

Hallo North Americans, I am from Europe. A contributor on the Centos (the largest Red Hat clone) list suggested I reposted my ARIN item on your list. I have a BASH script called .w It contains #! /bin/bash whois $1 host $1 When I type .w 51.51.51.51 I receiv

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On 13/09/11 01:12, Randy Bush wrote: >>> as eliot pointed out, to defeat dane as currently written, you would >>> have to compromise dnssec at the same time as you compromised the CA at >>> the same time as you ran the mitm. i.e. it _adds_ dnssec assurance to >>> CA trust. >> Yes, I saw that. It a

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

Martin Millnert wrote: On Mon, Sep 12, 2011 at 5:09 PM, Michael Thomas wrote: And how long would it be before browsers allowed self-signed-but-ok'ed-using-dnssec-protected-cert-hashes? As previously mentioned, Chrome >= v14 already does. The perils of coming in late in a thread :) Mike

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Mon, Sep 12, 2011 at 4:39 AM, wrote: > On Sun, 11 Sep 2011 22:01:47 EDT, Christopher Morrow said: >> If I have a thawte cert for valdis.com on host A and one from comodo >> on host B... which is the right one? > > You wouldn't have 2 certs for that... I'd have *one* cert for that. And if > wh

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Mon, Sep 12, 2011 at 5:09 PM, Michael Thomas wrote: > And how long would it be before browsers allowed > self-signed-but-ok'ed-using-dnssec-protected-cert-hashes? As previously mentioned, Chrome >= v14 already does. Regards, Martin

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

>> as eliot pointed out, to defeat dane as currently written, you would >> have to compromise dnssec at the same time as you compromised the CA at >> the same time as you ran the mitm. i.e. it _adds_ dnssec assurance to >> CA trust. > Yes, I saw that. It also drives up complexity too and makes you

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

Randy Bush wrote: with dane, i trust whoever runs dns for citibank to identify the cert for citibank. this seems much more reasonable than other approaches, though i admit to not having dived deeply into them all. If the root DNS keys were compromised in an all DNS rooted world... unhappiness w

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Mon, 12 Sep 2011 07:53:57 -0700 Michael Thomas wrote: > Randy Bush wrote: > >> But Gregory is right, you cannot really trust anybody completely. > >> Even the larger and more respectable commercial organisations will > >> be unable to resist when they ask > >> for dodgy certs so they can inte

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

>> with dane, i trust whoever runs dns for citibank to identify the cert >> for citibank. this seems much more reasonable than other approaches, >> though i admit to not having dived deeply into them all. > If the root DNS keys were compromised in an all DNS rooted world... > unhappiness would ens

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

Randy Bush wrote: But Gregory is right, you cannot really trust anybody completely. Even the larger and more respectable commercial organisations will be unable to resist when they ask for dodgy certs so they can intercept something.. No, as soon as you have somebody who is not yourself in cont

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

> But Gregory is right, you cannot really trust anybody completely. Even > the larger and more respectable commercial organisations will be > unable to resist when they ask for > dodgy certs so they can intercept something.. > > No, as soon as you have somebody who is not yourself in control > wi

Re: DANE and DNSSEC, was Microsoft deems all DigiNotar

In article you write: >Except that this just shifts the burden of trust on to DNSSEC, which also >necessitates a central authority of 'trust'. Unless there's an explicitly >more secure way of storing DNSSEC private keys, this just moves the bullseye >from CAs to DNSSEC signers. It does, but it

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

Except that this just shifts the burden of trust on to DNSSEC, which also necessitates a central authority of 'trust'. Unless there's an explicitly more secure way of storing DNSSEC private keys, this just moves the bullseye from CAs to DNSSEC signers. Jason On Mon, Sep 12, 2011 at 5:30 AM, Elio

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Sep 11, 2011, at 11:06 PM, Hughes, Scott GRE-MG wrote: > Companies that wrap their services with generic domain names (paymybills.com > and the like) have no one to blame but themselves when they are targeted by > scammers and phishing schemes. Even EV certificates don't help when consumers

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

Steinar, On Sun, Sep 11, 2011 at 8:12 PM, wrote: >> To pop up the stack a bit it's the fact that an organization willing to >> behave in that fashion was in my list of CA certs in the first place. >> Yes they're blackballed now, better late than never I suppose. What does >> that say about the p

Re: Re: EV SSL Certs

On Monday, September 12, 2011 12:08:56 PM Coy Hile wrote: > > On Sun, Sep 11, 2011 at 9:08 PM, Christopher Morrow > > > > wrote: > >> what's the real benefit of an EV cert? (to the service owner, not the > >> CA, the CA benefit is pretty clearly $$) > > > > The benefit is to the end user. > > Th

RE: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

> -Original Message- > From: Gregory Edigarov [mailto:g...@bestnet.kharkov.ua] > I.e. instead of a set of trusted CAs there will be one distributed net > of servers, that act as a cert storage? > I do not see how that could help... > Well, I do not even see how can one trust any certifica

Re: EV SSL Certs

> > On Sun, Sep 11, 2011 at 9:08 PM, Christopher Morrow > wrote: > >> what's the real benefit of an EV cert? (to the service owner, not the >> CA, the CA benefit is pretty clearly $$) > > The benefit is to the end user. > They see a green address bar  with the company's name displayed. > > Yeah, c

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

> > I think that it's hard to cope with SSL. It doesn't do the right things > > for the right reasons. Many of us, for example, operate local root CA's > > for signing of "internal" stuff; all our company gear trusts our local > > root CA and lots of stuff has certs issued by it. In an ideal wor

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

Gregory, On Mon, Sep 12, 2011 at 1:23 PM, Gregory Edigarov wrote: > On Mon, 12 Sep 2011 12:12:08 +0200 > Martin Millnert wrote: > >> Mike, >> >> On Sun, Sep 11, 2011 at 8:44 PM, Mike Jones wrote: >> > It will take a while to get updated browsers rolled out to enough >> > users for it do be prac

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

On Mon, 12 Sep 2011 12:12:08 +0200 Martin Millnert wrote: > Mike, > > On Sun, Sep 11, 2011 at 8:44 PM, Mike Jones wrote: > > It will take a while to get updated browsers rolled out to enough > > users for it do be practical to start using DNS based self-signed > > certificated instead of CA-Sig

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

Mike, On Sun, Sep 11, 2011 at 8:44 PM, Mike Jones wrote: > It will take a while to get updated browsers rolled out to enough > users for it do be practical to start using DNS based self-signed > certificated instead of CA-Signed certificates, so why don't any > browsers have support yet? are any

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

> > How about a TXT record with the CN string of the CA cert subject in it? > > If it exists and there's a conflict, don't trust it. Seems simple > > enough to implement without too much collateral damage. > > Needs to be a DNSSEC-validated TXT record, or you've opened yourself up > to attacks vi

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

Hank and everyone, This is a very interesting problem. As it happens, some folks in the IETF have anticipated this one. For those who are interested, Paul Hoffman and Jakob Schlyter have been working within the DANE working group at the IETF to provide for a means to alleviate some of the respon

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

On Sun, 11 Sep 2011 22:01:47 EDT, Christopher Morrow said: > If I have a thawte cert for valdis.com on host A and one from comodo > on host B... which is the right one? You wouldn't have 2 certs for that... I'd have *one* cert for that. And if when you got to the IP address you were trying to reac

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

On Mon, 12 Sep 2011 04:39:52 -, Marcus Reid said: > You don't have to have the big fat Mozilla root cert bundle on your > machines. Some OSes "ship" with an empty /etc/ssl, nobody tells you who > you trust. And for those OS's (who are they, anyhow) that ship empty bundles, how many CAs do yo