12 Sep
2011
12 Sep
'11
5:46 a.m.
How about a TXT record with the CN string of the CA cert subject in it? If it exists and there's a conflict, don't trust it. Seems simple enough to implement without too much collateral damage.
Needs to be a DNSSEC-validated TXT record, or you've opened yourself up to attacks via DNS poisoning (either insert a malicious TXT that matches your malicious certificate, or insert a malicious TXT that intentionally *doesn't* match the vicitm's certificate)....
And how do you validate the dnssec to make sure that noone has tampered with it. -- //fredan