Today's attack on @myetherwallet (via BGP hijack of AWS name servers) proves beyond doubt that everyone should implement DNSSEC and HSTS asap!
DNSSEC = resolvers would deny fake records
HSTS = browsers would prevent users burning themselves from self-signed certs.
And what about the other 100+ organizations capable of issuing publicly-trusted certificates? There is no requirement to validate DNSSEC when doing domain validation.
-
-
Maybe it should. That was one of the issues raised on http://mozilla.dev.security .policy when CAA checking became mandatory. How CA should behave on DNSSEC failure: treat CAA as non-existent and just move on of deny issuance.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
I believe there's a requirement to consider DNSSEC in the checking of the CAA records (including for non-existence of any CAA record of relevance) in the presence of the DS anchors. SERVFAIL return on CAA record query blocks further validation.
-
Requirement is a strong word. CAs implemented it incorrectly and browsers wouldn't enforce.
-
Root store programs could (by policy). Misbehaving CAs would get warned and eventually kicked out.
@mozilla could definitely do it. -
I was the person who argued on m.d.s.p. that Mozilla should enforce. They didn't.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.