Gervase Markham:
> Eddy Nigg wrote:
>> Because CAs (SHOULD) have controls in place to prevent that.
>
> Well, of course. But if another vulnerability in DNS is discovered like
> the recent one, no amount of "controls" is going to help for the period
> during which the Internet remains unpatched (assuming it's fixable at
> all - the flaw might be by design).
>

:-)

I think your statement above confirms the differences between both our 
daily tasks. As I said previously, CAs are critical infrastructures for 
a very specific task, not some user forum. It's not about this or that 
vulnerability, those controls (which should be in place) are exactly 
here to prevent also the unknown ones. And again as I said previously, 
if a CA isn't prepared for that, better not play CA in first place.

Patching a vulnerable system is really what everybody operating or 
relying on DNS servers should do, I was talking about controls beyond 
that...


-- 
Regards

Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Blog:   https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to