[Cryptography] DNSSEC = completely unnecessary?
Guido Witmond
guido at witmond.nl
Mon Nov 4 13:10:36 EST 2013
On 11/04/13 18:57, Martin Paljak wrote:
> On Mon, Nov 4, 2013 at 12:14 PM, Guido Witmond <guido at witmond.nl> wrote:
>> If you don't trust your chosen CA, ie, it might be coerced to sign a
>> fake cert by an 'authority', create your own Root Key (on a smart card)
>> and use that for your server certificate.
>
> If it only would be that easy...
> What would this fix if I don't trust the smart card(s)?
You could try a GPG-card if the standard x509 cards from the big vendors
might not have your approval.
There is also the option of a hsm module, by some other big vendors.
Or you could use a cheap laptop from some generations ago and use it as
your root CA. Make sure you open the case and disable the wifi,
bluetooth and microphone :-)
At least with DNSSEC and DANE, we have the choice of options back to the
domain owner.
Regards, Guido.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131104/570ef9a0/attachment.pgp>
More information about the cryptography
mailing list