Gervase Markham: > Eddy Nigg wrote: >> Because CAs (SHOULD) have controls in place to prevent that. > > Well, of course. But if another vulnerability in DNS is discovered like > the recent one, no amount of "controls" is going to help for the period > during which the Internet remains unpatched (assuming it's fixable at > all - the flaw might be by design). >
:-) I think your statement above confirms the differences between both our daily tasks. As I said previously, CAs are critical infrastructures for a very specific task, not some user forum. It's not about this or that vulnerability, those controls (which should be in place) are exactly here to prevent also the unknown ones. And again as I said previously, if a CA isn't prepared for that, better not play CA in first place. Patching a vulnerable system is really what everybody operating or relying on DNS servers should do, I was talking about controls beyond that... -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto