[Ach] opinions on letsencrypt.org?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Nov 25 17:45:54 CET 2014


On 11/25/2014 10:20 AM, Aaron Zauner wrote:
> As with TACK I hear that some vital Google engineers don't like the DANE
> trust/security model. I'm curious if it'll see real adoption. Their
> reasoning so far has been that there are more "entry points" for an
> attacker than with a central (and CT audited) trust system as with
> certificate authorities. 

This is a good argument for trying to figure out how to extend the CT
model into the DNSSEC space, as was proposed by Dacheng Zhang at the
trans wg earlier this month.

  https://tools.ietf.org/html/draft-zhang-ct-dnssec-trans

That proposal had some serious flaws, but anyone interested in doing
this kind of monitoring work of centralized/hierarchical infrastructure
should take a look and suggest improvements.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20141125/d12f90a6/attachment.sig>


More information about the Ach mailing list