towards https everywhere and strict transport security (was: Has there been a change in US banking regulations recently?)
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Mon Aug 23 18:00:26 EDT 2010
On Sun, Aug 22, 2010 at 11:51:01AM -0400, Anne & Lynn Wheeler wrote:
> On 08/22/2010 06:56 AM, Jakob Schlyter wrote:
> >There are a lot of work going on in this area, including how to use secure
> >DNS to
> >associate the key that appears in a TLS server's certificate with the the
> >intended
> >domain name [1]. Adding HSTS to this mix does make sense and is something
> >that is
> >discussed, e.g. on the keyassure mailing list [2].
>
> There is large vested interested in Certification Authority industry
> selling SSL domain name certificates. A secure DNS scenario is having
> a public key registered at the time the domain name is registered ...
> and then a different kind of TLS ... where the public key is returned
> in piggy-back with the domain name to ip-address mapping response.
for the conservative - they may want to verify the DNSSEC
trust chains for both the domain name and the IP address.
e.g. is it the same EV cert at the end of both validation
checks.
--bill
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list