[Cryptography] Commercial PKI as dog poop
jrzx
jrzx at protonmail.ch
Thu May 13 21:04:10 EDT 2021
> > A CDN is "non origin certification"
> >
> > Meaning the owner of the certificate has no control
> > over the name, and the owner of the name has no control
> > over the owner of the certificate casually redirecting
> > the name to a machine controlled by someone else.
On Thursday, May 13, 2021 9:40 AM, Salz, Rich via cryptography <cryptography at metzdowd.com> wrote:
> You do not know what you are talking about.
>
> The fact that DNS says www.example.com is a host that is
> not where you, as an individual, think it should be, is
> not anyone's problem but your expectation.
We are not discussing my expectations of the DNS, but my
expectations of SSL and certificate authorities.
I expect that if I form an SSL connection to www.example.com,
the machine at the other end will be controlled by the owner
of the name www.example.com
If that expectation can easily be violated, it is a problem.
More information about the cryptography
mailing list