Gervase Markham: > > Exactly my point. If the CA's DNS is secure, the EV system is safe. If > it's not, it's not. So the two are linked, and they shouldn't be.
I think you meant DV, not EV here... > > Note I wasn't specifically talking about this attack, which the CAs may > well have patched against. My point is that if another vulnerability in > DNS permitting spoofing is discovered, then EV is at risk - i.e. there > is a link between the security of the two things. > Again, CAs have other/more requirements unlike John's DNS server...the security strategy of a CA should make a difference, otherwise they shouldn't play CA. CAs issuing DV certs have perhaps even an added burden in this respect. However with EV (and other validated certificates) it's highly unlikely that the subscriber would even attempt to get a certificate for a domain over which he shouldn't have any control. In any case SSL certificates are here to protect against DNS vulnerabilities and not as you stated. > > The weakness is that the CA's DNS server could be poisoned to allow the > attacker to intercept their communications (e.g. email) with the target > domain, and thereby obtain a DV certificate for it fraudulently. > See above... > The result is that a mixed EV+DV page can be compromised if there is an > ability to hijack DNS. EV shouldn't be vulnerable to DNS poisoning of the CA DNS servers, otherwise what would we have gained by it? Isn't EV all about the EXTENDED validation, which includes domain control? > Which is why I said the security of the two > systems is currently linked. We can eliminate the link by requiring all-EV. Yes, this is a good thing to do! As Nelson pointed out, when visiting an EV site, I want to be assured that there are no other parties listening...For example Google Analitics is JavaScript code. In that code - or any other code included by a third party, it would be fairly easy to snoop for credit card and other details... -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
