[Cryptography] Certificates and PKI

Paul Wouters paul at cypherpunks.ca
Mon Dec 29 22:20:25 EST 2014


On Mon, 29 Dec 2014, Christian Huitema wrote:

> Implementations could assume that algorithmically derived names like
> "_<port>._<proto>.mxhost.example.com" are in the same zone as
> "mxhost.example.com." The cost of being wrong is not all that high. The
> protocol ID will leak, but that can in most cases be already inferred from
> the host name.

That would be wrong. For instance, for fedoraproject I am planning to
host _openpgpkey.fedoraproject.org as a separate zone, while not
everyone might do that.

Paul


More information about the cryptography mailing list