-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 6/21/13 9:41 AM, Olle E. Johansson wrote:
21 jun 2013 kl. 15:05 skrev Daniel Pocock <daniel@pocock.com.au mailto:daniel@pocock.com.au>:
- The config uses DNS to establish the transport available on
the remote proxy. It doesn't use DNSSEC to do this.
I'm not sure if DNSSEC matters if the TLS certificate is valid - some people may prefer to trust the TLS cert and not place any trust in the DNSSEC trust model
THat's quite a misguided statement. If DNS points to an incorrect destination that succeeds in providing a certificate that you accept - how can that be a good solution?
DNSsec verification tells you that you have a authorized binding between the hostname and the IP.
TLS will tell you that you have a binding between the URI you're looking for and the server.
That's two different things.
DANE - TLS verification using DNSsec - is an alternative to the current rather insecure way of handling CA certificates. But that's another story. I think you're mixing DANE with DNSsec in your statement, Daniel.
DANE will be a good alternative, once it is more widely deployed. Unfortunately I think that won't happen very quickly. :(
Peter
- -- Peter Saint-Andre https://stpeter.im/