|
|
|
|
|
|
by sarciszewski
3875 days ago
|
|
|
> Instead, the X.509 cert. stored in DNS is trusted for TLS purposes simply because it is DNSSEC signed rather than CA issued. And I would see that as a huge mistake. Requiring two layers of verification (DNSSEC + separate CA) is what had I assumed DNSSEC would do. Would that stop the NSA? Probably not, but the person who broke DigiNotar wasn't exactly NSA. |
|
|