Yo Hal! On Fri, 01 Feb 2019 15:24:09 -0800 Hal Murray via devel <devel@ntpsec.org> wrote:
> If I start with a name, translate that to an IP Address, make a TLS
> connection to that system, I expect to get a certificate that matches
> the name.
Yup, but not always. Some will want to stop on mismatch, some want
to continue. Thus the new "noval" keyword.
> But that translation step adds another layer of security
> considerations.
Which have been well thought out by the TLS people. The proposed RFC
says to reuse that very well constructed wheel.
> Is it practical to bypass the DNS lookup and use a certificate for
> the IP Address?
Trivial, not quite. Practical, yes. But not common. Leave that to
wizards.
The common case you are looking for is when you contact a TLS server
by IP, not name, and then either validate, or not, the returned
certificate. This is very common for testing before moving a
server into its production IP.
> Is there an option I can give to something like getaddrinfo() that
> says require DNSSEC? What fraction of the world is using DNSSEC
> and/or pays attention if somebody else uses it?
Leave that battle to the TLS people. They discuss the next step all
the time and DNSSEC has been a battle for a long time.
The vulnerability window there is very small. I can easily spoof
a client to think my server is google.com. I can easily create a
certificate that says my server is google.com. But I can not create a
google.com certificate that will validate without a lot of hard work.
NSA can do it, but not me.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
pgpI6lBhKIFvp.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
