On Sat, 10 Apr 2021 at 10:50, Stephane Bortzmeyer <bortzmeyer@xxxxxx> wrote:
On Sat, Apr 10, 2021 at 10:29:42AM +0100,
Ben Laurie <benl=40google.com@xxxxxxxxxxxxxx> wrote
a message of 138 lines which said:
> However, the other problem is introducing DNS as a trust root - the
> DNS hierarchy is considerably less secure than CAs were even before
> CT but now it's really a very poor option in comparison.
It doesn't matter since, if you control the DNS, you can have your
certificate, anyway. So, it doesn't change the picture.
This is only relevant if the controller of the DNS is not the "right" one - in which case, CT will reveal both the existence of the cert and the implied DNS compromise, which they can then rectify. If DNS were the only authority it would be much harder to detect.
So. it does matter.
