[Cryptography] "Trust in digital certificate ecosystem eroding"

Guido Witmond guido at witmond.nl
Mon May 4 14:42:57 EDT 2015

On 05/04/15 00:45, Christian Huitema wrote:
> On Sunday, May 3, 2015, at 11:02 AM, Guido Witmond wrote:
>> ... With DNSSEC and DANE, the site-owner *specifies* which CA is
>> the correct one *for their own site*.
> But! If the user lives in the Kingdom of Notrustistan, there is a
> catch. The local dictators could mandate that every computer and
> every phone ships with their very own version of ICANN root's key,
> enabling the Great Firewall of Notrustistan to spoof TLSA records and
> then MITM the TLS connections...

If someone has control over your endpoint, it's game over.

It's the ultimate form of Balkanization: spying on your own people *AND*
blocking nosy foreigners who don't have the tinpot-RootKey installed.

Why this is a real possibility, it's not a silent attack like having a
root CA certificate in the current browser trust stores.

Still, I think it is an improvement.

Because with the eccentric authentication protocol built upon DNSSEC and
DANE (and some more [1]), people inside the dictatorship still can
communicate securely with each other. So the dictator has to forbid that

Regards, Guido.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150504/8aeb86ed/attachment.sig>

More information about the cryptography mailing list