Re: [atlas] SSL Certificates for ripe anchors
Le 30/08/2019 à 20:32, Gert Doering a écrit : > Hi, > > On Fri, Aug 30, 2019 at 03:08:06PM +, Jóhann B. Guðmundsson wrote: >>> Yep. I wish the use of TLSA was more wide spread. It doesn't require third >>> parties to "certify" who is who. >> The third parties that "certify" are for others to establish trust in >> that you are who you claim to be not because its "required" and the >> security industry has deemed those who do not atleast get some other >> entity to validate, not to be worthy of trust. > TLSA does all this, without requiring some other entity that follows their > own agenda to "certify" anything. You need to trust the DNS root KSK, > of course, but everything else follows the normal DNSSEC chain. Not quite true, you also need to trust your registrar, as they could change the enrolled DNSSEC key and glue records. Though this is way more visible than a rogue certificate used ponctually for some targets. ;)
Re: [atlas] SSL Certificates for ripe anchors
> Push everybody to do "https everywhere!" (why not? LE is free!), and > of course for *real* security companies must have EV certs from "real" > CAs... for heaps of money. upcoming chrome and ffox will not green light ev randy
Re: [atlas] SSL Certificates for ripe anchors
Hi, On Fri, Aug 30, 2019 at 09:59:02PM +, Jóhann B. Guðmundsson wrote: > Given that Let's encrypt own root which was supposed to be pushed out this > July but got delayed til 2020 is widely trusted by browser, one can hardly > claim that the browser community is run by some "cert cabal" Well, the pieces sort of nicely fit. Push everybody to do "https everywhere!" (why not? LE is free!), and of course for *real* security companies must have EV certs from "real" CAs... for heaps of money. Money flows. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 signature.asc Description: PGP signature