Re: VeriSign feedback/comments on STS -06

mån 2010-05-17 klockan 14:34 -0700 skrev Michal Zalewski:

> This would make it difficult to enroll (requiring changing all certs).

Which is something you do anyway fairly frequently (every year or so)

> The first part is true also in the current model, if the user first
> navigates to http://, rather than https://; but at least, it gives you
> some choice. The second attack is much harder for TCP than it is for
> DNS over UDP.

Personally I consider DNS over UDP flawed beyond repair, at least until
DNSSec is properly in place and verified, but probably even after
that...

Regards
Henrik

Received on Monday, 17 May 2010 23:15:34 UTC