[Discuss] root CA bloat
Richard Pieri
richard.pieri at gmail.com
Sat Nov 22 10:17:38 EST 2014
On 11/22/2014 5:33 AM, Bill Bogstad wrote:
> You are conflating DNS and Certificate Authorities. When I look at
> the certificate used
> for www.microsoft.com, it appears to be signed by Symantec via
> Verisign. In any case, controlling someone's DNS is not the same
> thing as being able to sign an SSL certificate that will be accepted.
MarkMonitor is a trusted CA. If they generate a certificate for
microsoft.com then your browser will trust it. MarkMonitor is
authoritative for the microsoft.com domain. They can change all
microsoft.com hosts to point to their servers and you will trust them
because their DNSSEC signatures are good and valid.
--
Rich P.
More information about the Discuss
mailing list