Re: [Fed-Talk] DCO Chat on Mavericks
Re: [Fed-Talk] DCO Chat on Mavericks
- Subject: Re: [Fed-Talk] DCO Chat on Mavericks
- From: Henry B Hotz <email@hidden>
- Date: Fri, 14 Feb 2014 12:30:27 -0800
On Feb 14, 2014, at 9:42 AM, Shawn A. Geddis < email@hidden> wrote: I cannot personally verify the above, since a quick dns lookup on chat.dco.dod.mil gives me an IP that the servers I am behind right now cannot find. Also, I would not have an account on the server to obtain the certificate chain to verify. A Bug submission from this community would be the only way we can look into this.
A general comment, not a specific request: having the PKI system check a reverse lookup is a something which Apple added just a few OS rev's ago. Conversely the Kerberos community used to always do that check, but has been steadily disabling it in the last few years.
The reason is that it creates deployment problems without adding anything to the actual cryptographic security. If the endpoint has the right keys (with the right name on the keys) then it's the right endpoint. Absent a really good DNSSEC deployment, DNS can't authoritatively disagree, so it shouldn't be allowed to DoS the endpoint.
I'll file a bug report if you think it's worth it, but I'm not entirely sure how I ought to phrase the request.
|
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden