[Cryptography] Certificates and PKI

Viktor Dukhovni cryptography at dukhovni.org
Wed Dec 24 11:55:33 EST 2014

On Wed, Dec 24, 2014 at 07:24:31AM -0800, Bill Frantz wrote:

> On 12/23/14 at 12:36 PM, nico at cryptonector.com (Nico Williams) wrote:
> >CT is more than just a mitigation against lack of name constraints.
> >It's applicable to any kind of PKI.  DNSSEC is a kind of PKI.  CT should
> >be applicable to DNSSEC.
> Ben limits CT transactions to recognized CAs to limit spam to the CA CT
> registries. Could the DNS registrars be enlisted as intermediaries in a DNS
> based CT registry to similarly limit spam?

It seems rather easy, all log submissions of signed DS RRsets can
be validated up to the root.  If any registry or individual domain
is spamming the log with fake delegations, this is easily detected
and their ability to continue to participate may suffer.


More information about the cryptography mailing list