|
|
|
|
|
|
by rajivm
3879 days ago
|
|
|
I'm not sure why your question is being side-stepped, I also had the same wonder. It seems from reading though that the reason this is a problem is CAs are not involved at all in the DANE/TLS scenario. Instead, the X.509 cert. stored in DNS is trusted for TLS purposes simply because it is DNSSEC signed rather than CA issued. However, it seems at this time, no mainstream browser actually supports this natively (some have released plugins). What I (and you) seem to have assumed was that this was DNS based certificate pinning, which to me would have made a lot of sense. |
|
|
And I would see that as a huge mistake. Requiring two layers of verification (DNSSEC + separate CA) is what had I assumed DNSSEC would do.
Would that stop the NSA? Probably not, but the person who broke DigiNotar wasn't exactly NSA.