[dns-operations] Another whitepaper on DDOS
dougb at dougbarton.us
Fri Feb 22 21:28:05 UTC 2013
Are there CA vendors who give out EV certificates for "$fee + answer the
e-mail"? I know you can get "basic" SSL certs simply by answering the
e-mail from the CA.
Not that "look for the green bar" is going to be a whole lot more
successful than "Don't say yes to security exceptions you don't
understand," but I'm curious. :)
On 02/22/2013 11:42 AM, Vernon Schryver wrote:
>> From: Lutz Donnerhacke <lutz at iks-jena.de>
>> But the errornous transfer of ebay.de would create a deasaster with DANE.
> In what way would DANE make the theft of a domain worse?
> Without DANE, the new possessor of a domain need only get SMTP working,
> create a new cert, apply for signature for a new cert, answer the email
> from the CA verifying ownership of the domain, and start using that
> new cert on new HTTP servers with improved web pages.
> With DANE, only a few things differ. One difference is that the
> new cert can be used as soon as DNS TTLs allow without waiting to
> answer ownership-verifying email from the CA. The second difference
> is that before and after the transfer, browser users can be more
> confident that the web pages they see are unchanged between HTTP
> server and HTTP client.
> In no case can you be sure that ebay.de is what you assume it is without
> some sort of out-of-band exchange of keys and secrets between you and
> ebay.de. Paying a CA $500 cannot buy more than $500 worth of identity
> checking and authentication, and that cannot penetrate more than $500
> worth of smoke, mirrors, forged business licenses, etc. $500 is plenty
> for a hobby domain but ridiculous for an eBay. (Never mind the free CAs.)
> Commercial PKI verifications of the identities of strangers have always
> been frauds and snake oil sold to punters. That commercial PKI fees
> have always been too small to allow honest identity checks even for
> organizations more famous than Ebay was proven more than 10 years ago.
> Vernon Schryver vjs at rhyolite.com
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> dns-jobs mailing list
More information about the dns-operations