Mario Lombardo wrote: > Hi *, > > this is just an idea. However it would increase the security of our crypto > system in case a trusted CA has been compromised. > > The idea is to implement a DNS lookup of a host whenever a ssl connection is > going to be established. The lookup may search the TXT record of the domain. > This record may contain one or multiple records in this form: > > mydomain.com IN TXT "tls-sec v=1.0 sock=443/tcp crypto=required > fingerprint=00:12:34:..." > mydomain.com IN TXT "tls-sec v=1.0 sock=25/tcp crypto=desired > fingerprint=ab:cd:ef:..." > > So the TLS/SSL client is able to check whether there is a need for encryption > on this connection and it is able to doublecheck the fingerprint of the > keypair. > > In case a compromized CA has lost its "trusted" signing key, this key is not > able to sign any fraud certificates. > > As I introduced - this is just an idea. But I just would like to share it with > you. Feedback is welcome :)
You probably want to examine DANE/TLSA: http://tools.ietf.org/html/rfc6698 It's not secure without DNSSEC though. Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
