Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] How to protect users from compelled fake ssl certs?

coderman coderman at gmail.com
Wed Jul 3 11:41:20 PDT 2013


On Tue, Jul 2, 2013 at 10:01 AM, Ralph Holz <holz at net.in.tum.de> wrote:
>> DANE: https://tools.ietf.org/html/rfc6698
>> CAA: https://tools.ietf.org/html/rfc6844
>> ....
> I wonder whether that would have protected against the Comodo Hacker. It
> seems it depends when and from where the CAA checks are run.

it would not. Comodo Hacker used the HSM programmatic interfaces
directly to issue certificates, thus bypassing any checks CAA would
imply.


> ...
> It's another reason I like DANE and CT better.

fortunately you don't have to pick one; use both ;)



More information about the liberationtech mailing list