[147995] in cryptography@c2.net mail archive
Re: [Cryptography] DNSSEC = completely unnecessary?
daemon@ATHENA.MIT.EDU (Guido Witmond)
Mon Nov 4 13:15:59 2013
X-Original-To: cryptography@metzdowd.com
Date: Mon, 04 Nov 2013 19:10:36 +0100
From: Guido Witmond <guido@witmond.nl>
To: Martin Paljak <martin@martinpaljak.net>
In-Reply-To: <CACsm3DWHyCN0quzercmvd8-4F5_jD+9xupKOwQKjfnuLMG01kw@mail.gmail.com>
Cc: cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============3735566134066807431==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="----enig2ESKRMQHHJWJBCSVNDPJI"
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
------enig2ESKRMQHHJWJBCSVNDPJI
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
On 11/04/13 18:57, Martin Paljak wrote:
> On Mon, Nov 4, 2013 at 12:14 PM, Guido Witmond <guido@witmond.nl> wrote=
:
>> If you don't trust your chosen CA, ie, it might be coerced to sign a
>> fake cert by an 'authority', create your own Root Key (on a smart card=
)
>> and use that for your server certificate.
>=20
> If it only would be that easy...
> What would this fix if I don't trust the smart card(s)?
You could try a GPG-card if the standard x509 cards from the big vendors
might not have your approval.
There is also the option of a hsm module, by some other big vendors.
Or you could use a cheap laptop from some generations ago and use it as
your root CA. Make sure you open the case and disable the wifi,
bluetooth and microphone :-)
At least with DNSSEC and DANE, we have the choice of options back to the
domain owner.
Regards, Guido.
------enig2ESKRMQHHJWJBCSVNDPJI
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/
iQIcBAEBAgAGBQJSd+McAAoJEHPd8GglaNRmnlAP/ixx0/n7CJl1bT1epL7vTgaL
Xv5JlTwuB94DZT+RzWh0i+4Q9obbRAtWuE57x7+NNmLUArh16pnh0h95ZTC4OEqc
6Ub49SJ2ZVhQ7yCAPN0izxW5N1EMJBUi5PjzEvuWlokdEYY6jVd5t4qoVGaz37tH
SImxkhahZiXCEltCeMUvI35TxLc5dhvrEcrpbrSRiwoN+OVwevF7+FwjeC4B2/ze
DhTJ2nEdzAhM/Ma0h3JT6SWZ48yPXNm339DqCYivbgHu5jI4caUxYd36PMccQYBt
+4gsQco0PyN1j/9/lqXBBcH8fMh3syW/yP+DOhi7+oxmS7MhouOw6xR2GFDZwcjZ
Bsi3cZp1rt16b27z1ZlgY8C8RoiEp8cUs683bAl6zmWbppUyhFoC/hMCvs/+qbaw
PcvVWbkvU75vJteEWsS7B3rMKagk5DedvqGckb4xTrnIUBFXcvRSHxItUGSSXXNZ
N+mFIx0p3NmTUe28Tk8LI3NKNgIkGftoLGLt1khbp8L1w9zqzOv0cny6jAeATeOK
d/8uxLscF4Cr+Z2McKugxMNd09MZPM4w0ZH179gkaoUeyYpdjbDAhmKISCLlCR1b
RqH85OIyLJPXZh2zVe1Dr6HBSFVRi0Uu3KztBnApT2DFXriwEUVthU7vTuCnwNxt
6tmXi4MxqFtHgAr0lXy6
=xYRm
-----END PGP SIGNATURE-----
------enig2ESKRMQHHJWJBCSVNDPJI--
--===============3735566134066807431==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============3735566134066807431==--
