[atlas] SSL Certificates for ripe anchors

On Fri, Aug 30, 2019, 18:34 Bjørn Mork <bjorn at mork.no> wrote:

> Sander Steffann <sander at steffann.nl> writes:
>
> > Yep. I wish the use of TLSA was more wide spread. It doesn't require
> > third parties to "certify" who is who.
>
> +1
>
> There is still too much money in the CA business.


I would argue not but given that ripe itself is still paying digicert that
arguement would be muted

Which is the reason
> why no major browser does TLSA validation.


*<Citation needed>*

  And why "best practices"
> allow, or even recommend, inferior solutions like CAA, HPKP and other
> bad ideas instead of DANE.


How on earth is having a CAA record which pin points who is allowed to
issue certificates on your behalf an inferiour solution. A RR that you use
with DANE btw o_O

You gotta look at the source of those
> recommendations. They are most likely "best" for someones wallet.  Not
> necessarily for security.
>

Still no one has answered why ripe is using self signed certs for anchor
when they can use let's encrypt for free...

It's amazing that they still try to make those pigs fly.
>

Who are they? The evil certificate cabal that is out to destroy the world?
Do I need to start wearing my tin foil hat when I go out riding and storm
area 51 while i'm at it ;)

In anycase to stay on topic.

If the person or team that is responsible for the certificates on anchors
can answer why they choose to use self signed certs, and why the ripe
community is still paying for digicert when there is equally good, free
signed alternative in an open community available,that would be good.

If the answer is "we have not gotten around to it yet, but are planning to
switch to let's encrypt for our self signed and paid certificates"
*wink*wink**nudge*nudge* that would be even better.

Thanks
            JBG
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/ripe-atlas/attachments/20190830/cc8ea44d/attachment.html>