From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Sun, 24 Jan 2010 08:14:09 -1000 From: Tim Newsham To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> In-Reply-To: Message-ID: References: <4B57048D.6040002@maht0x0r.net> <4f34febc1001231559s3ffb6037o2a193bf4689b961@mail.gmail.com> <8094c7f53bad7b2e0bed09ec4bfd41dc@ladd.quanstro.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: Re: [9fans] Are we ready for DNSSEC ? Topicbox-Message-UUID: c60871dc-ead5-11e9-9d60-3106f5b1d025 > dns is a non-issue if the rest of ssl is working. > dns is irrelevant if it isn't. Except when SSL has chinks in its armor. Like incidents of certificate authorities being convinced to give out certs for domains that don't belong to the requestor. Or bugs in SSL cert validation that compares names only up to the NUL character and certificate authorities willing to make CERTs with NULs in the cert name. Or certificate authorities giving out unqalified "local" certificates that can be repurposed as non-local certs. Or simply the fact that the majority of the SSL using population has been trained to disreguard SSL mismatches by clicking through any dialog box that appears while browsing. At any rate, it would be nice having a certificate system that was more closely tied to the DNS heirarchy... > russ Tim Newsham | www.thenewsh.com/~newsham | thenewsh.blogspot.com