DNS based revoke lists

May 24, 2008

I just thought about the scaling problem of the SSL revoke lists, I wrote in my last blog post.  The first two solutions that came into mind where peer-to-peer or DNS based ones. Peer-to-peer would be not that good for enterprise users so I took a short look at DNS based revoke list. I just entered it into google and got RFC 2538 back as answer. Thats a full solution for storing certificates in the DNS (and yes also a revoke list). Maybe we could use the revoke list part of this RFC for the SSL revoke lists. This solution would scale without problems and with DNSSEC it would get even more secure.

So why is that not implemented? Just one browser vendor and one CA need to go forward and the rest will follow. They could do that instead of the “green” https stuff which is only there to generate more money. What are your thoughts about this?

3 Comments »

RSS feed for comments on this post. TrackBack URI

  1. Seems that you were not the only one with this idea
    http://www.heise.de/newsticker/DNS-Blacklist-fuer-schwache-SSL-Schluessel–/meldung/110257/from/rss09

    Comment by rlx — July 1, 2008 #

  2. […] they use. And there is still the revoke list problem, I’ve written previously (and also here). In IT Security […]

    Pingback by All SSL Sites are fake-able with new real world MD5 collision attack [Update] | Robert Penz Blog — December 30, 2008 #

  3. […] even the links to my previous posts are there. “…. .I’ve written previously (and also here)“. But he is not only copying from me. I copies from many other security bloggers! You need […]

    Pingback by Roy Firestein steals blog posts | Robert Penz Blog — January 1, 2009 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Powered by WordPress
Entries and comments feeds. Valid XHTML and CSS. 74 queries. 0.270 seconds.