[SSL Observatory] SSL CA compromise in the wild
Matt McCutchen
matt at mattmccutchen.net
Wed Mar 23 08:52:58 PDT 2011
On Tue, 2011-03-22 at 23:52 -0700, Jacob Appelbaum wrote:
> Sure. I think SSH has a good model
The SSH "model" is a cop-out. It remembers the first public key it sees
in the hope that that is the one for the server you wanted, but you
really have no reason to believe that is so.
> and SSHFP records improve things.
Without DNSSEC, they are meaningless. With DNSSEC, you get the DNS
authority structure, which is a step up from the CA system. But you
still might not want to tie your server's identity to the ICANN DNS.
--
Matt
More information about the Observatory
mailing list