Nelson B Bolyard: > Gervase Markham wrote, On 2008-08-22 02:17: >> Eddy Nigg wrote: >>> Well, I don't agree with the statements above. It really depends what >>> kind of DNS attack it is and how prepared the CA is and what the CA does >>> about it. >> Exactly my point. If the CA's DNS is secure, the EV system is safe. > > And, of course, the statement "CA's DNS is secure" means more than just > "the CA's DNS server is patched". It also means: every DNS server on > which the CA's DNS server relies in the course of resolving external > DNS records, must also be patched". It's not clear to me that ANY CA > can truthfully claim to be immune to all DNS attacks for all domains.
Nobody claimed that!!! However CAs (should) have controls in place to minimize such a possibility and actively prevent it from happening (to them). Obviously a known vulnerability is something which can be easily solved, but it doesn't end there...attacks can have different vectors and weak points. The CA must be prepared for such eventualities, otherwise why rely on them in first place... -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
