[Cryptography] "Trust in digital certificate ecosystem eroding"
guido at witmond.nl
Mon May 4 14:42:57 EDT 2015
On 05/04/15 00:45, Christian Huitema wrote:
> On Sunday, May 3, 2015, at 11:02 AM, Guido Witmond wrote:
>> ... With DNSSEC and DANE, the site-owner *specifies* which CA is
>> the correct one *for their own site*.
> But! If the user lives in the Kingdom of Notrustistan, there is a
> catch. The local dictators could mandate that every computer and
> every phone ships with their very own version of ICANN root's key,
> enabling the Great Firewall of Notrustistan to spoof TLSA records and
> then MITM the TLS connections...
If someone has control over your endpoint, it's game over.
It's the ultimate form of Balkanization: spying on your own people *AND*
blocking nosy foreigners who don't have the tinpot-RootKey installed.
Why this is a real possibility, it's not a silent attack like having a
root CA certificate in the current browser trust stores.
Still, I think it is an improvement.
Because with the eccentric authentication protocol built upon DNSSEC and
DANE (and some more ), people inside the dictatorship still can
communicate securely with each other. So the dictator has to forbid that
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: OpenPGP digital signature
More information about the cryptography