[SSL Observatory] SSL CA compromise in the wild

Matt McCutchen matt at mattmccutchen.net
Wed Mar 23 08:52:58 PDT 2011


On Tue, 2011-03-22 at 23:52 -0700, Jacob Appelbaum wrote:
> Sure. I think SSH has a good model

The SSH "model" is a cop-out.  It remembers the first public key it sees
in the hope that that is the one for the server you wanted, but you
really have no reason to believe that is so.

> and SSHFP records improve things.

Without DNSSEC, they are meaningless.  With DNSSEC, you get the DNS
authority structure, which is a step up from the CA system.  But you
still might not want to tie your server's identity to the ICANN DNS.

-- 
Matt




More information about the Observatory mailing list