[dns-operations] FYI: SAC057 - SSAC Advisory on Internal Name Certificates

Vernon Schryver vjs at rhyolite.com
Fri Mar 15 19:58:01 UTC 2013

> > i certainly hope the reference to "hr" being a "local" or "internal" or
> > "non-unique" name is a mistake and that CAs would absolutely refuse to
> > issue certs for names that are the same as a really existing TLD:

>     Not using FQDNs is foolish and unwarranted - and issuing certificates to
>     match unqualified names is not improving the general picture.
>     What I find more disturbing is this:
> ...

What I find even more disturbing is that people are still talking
about commercial PKI as if it it had been other than expensive
security theater for more than 10 years (i.e. since CA-2001-04).

Instead of spending effort on equivalents to arguing that a black
semi-automatic rifle is too dangerous for civilians but the same weapon
painted pink is ok, or that a molded hand grip makes a 2 inch knife
too dangerous for an airplane,
spend it on things with at least a little real world security
implications such as DNSSEC and eventually DANE.  

Don't waste time lobbying ICANN, but do urge browser vendors to
start using TLSA records.

It might be extreme and it's certainly unitentially offensive, but
a case can be made that no one writing from a domain without RRSIGs
on its MX and A RRs should say anything in public about network
security other than to ask about DNSSEC.

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list