[Security] S2S Leap of faith w/ SASL EXTERNAL
stpeter at stpeter.im
Wed Nov 17 20:54:49 CST 2010
On 11/17/10 7:48 PM, Jesus Cea wrote:
> On 18/11/10 02:52, Kim Alvefur wrote:
>> The thing I wanted to get at was to make it simpler for smaller
>> deployments, like some friends personal servers, to establish some
>> measurement of trust between themselves, without all the bureaucracy
>> that CA's brings.
> Too bad DNSSEC is being deployed almost as slowly as IPv6.
It's been going faster recently. The root is signed, as is org, with com
and net coming soon AFAIK. And there's now a handy Firefox plugin:
> I do care about MITM attacks. But when you don't have any other choice...
> I was thinking about DNSSEC and storing X.509 fingerprints in the DNS...
> That could destroy the need of a X.509 CA hierachy.
> You can actually do it now, with no DNSSEC, if you accept DNS is safe
> (current situation with dialbacks).
> Store the certificate fingerprint in a DNS record.
There's an effort starting up at the IETF to do just that. The working
group should be formed quite soon. Here's the proposed charter:
So progress is happening, but it's always slower than we'd like...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 6105 bytes
Desc: S/MIME Cryptographic Signature
More information about the Security