[liberationtech] How to protect users from compelled fake ssl certs?
coderman
coderman at gmail.com
Wed Jul 3 11:41:20 PDT 2013
On Tue, Jul 2, 2013 at 10:01 AM, Ralph Holz <holz at net.in.tum.de> wrote:
>> DANE: https://tools.ietf.org/html/rfc6698
>> CAA: https://tools.ietf.org/html/rfc6844
>> ....
> I wonder whether that would have protected against the Comodo Hacker. It
> seems it depends when and from where the CAA checks are run.
it would not. Comodo Hacker used the HSM programmatic interfaces
directly to issue certificates, thus bypassing any checks CAA would
imply.
> ...
> It's another reason I like DANE and CT better.
fortunately you don't have to pick one; use both ;)
More information about the liberationtech
mailing list