Hacker News new | past | comments | ask | show | jobs | submit login

Verisign controls .com and is on pretty much every root CA list, so they can do what you describe today, no DANE required.



Do you not see a problem with a massive deployment of new crypto infrastructure that leaves Verisign in cryptographic control of any site in .COM?


Oh, I definitely do. I was just trying to say that Verisign could already do a similar attack even without DANE. As controllers of .com they could easily redirect example.com to an evil server, and as a root CA they could give the evil server an EV certificate for example.com.

If anything, I suppose that should be an argument against consolidating DNS and TLS powers into single entities, which is exactly what DNSSEC and DANE do.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: