On Mon, 12 Sep 2011 04:39:52 -0000, Marcus Reid said: > You don't have to have the big fat Mozilla root cert bundle on your > machines. Some OSes "ship" with an empty /etc/ssl, nobody tells you who > you trust.
And for those OS's (who are they, anyhow) that ship empty bundles, how many CAs do you end up trusting anyhow? > How about a TXT record with the CN string of the CA cert subject in it? > If it exists and there's a conflict, don't trust it. Seems simple > enough to implement without too much collateral damage. Needs to be a DNSSEC-validated TXT record, or you've opened yourself up to attacks via DNS poisoning (either insert a malicious TXT that matches your malicious certificate, or insert a malicious TXT that intentionally *doesn't* match the vicitm's certificate)....
pgpNi8okd9oAi.pgp
Description: PGP signature
