This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/ripe-atlas@ripe.net/
[atlas] SSL Certificates for ripe anchors
- Previous message (by thread): [atlas] SSL Certificates for ripe anchors
- Next message (by thread): [atlas] SSL Certificates for ripe anchors
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jóhann B. Guðmundsson
johannbg at gmail.com
Fri Aug 30 21:31:05 CEST 2019
On Fri, Aug 30, 2019, 18:34 Bjørn Mork <bjorn at mork.no> wrote: > Sander Steffann <sander at steffann.nl> writes: > > > Yep. I wish the use of TLSA was more wide spread. It doesn't require > > third parties to "certify" who is who. > > +1 > > There is still too much money in the CA business. I would argue not but given that ripe itself is still paying digicert that arguement would be muted Which is the reason > why no major browser does TLSA validation. *<Citation needed>* And why "best practices" > allow, or even recommend, inferior solutions like CAA, HPKP and other > bad ideas instead of DANE. How on earth is having a CAA record which pin points who is allowed to issue certificates on your behalf an inferiour solution. A RR that you use with DANE btw o_O You gotta look at the source of those > recommendations. They are most likely "best" for someones wallet. Not > necessarily for security. > Still no one has answered why ripe is using self signed certs for anchor when they can use let's encrypt for free... It's amazing that they still try to make those pigs fly. > Who are they? The evil certificate cabal that is out to destroy the world? Do I need to start wearing my tin foil hat when I go out riding and storm area 51 while i'm at it ;) In anycase to stay on topic. If the person or team that is responsible for the certificates on anchors can answer why they choose to use self signed certs, and why the ripe community is still paying for digicert when there is equally good, free signed alternative in an open community available,that would be good. If the answer is "we have not gotten around to it yet, but are planning to switch to let's encrypt for our self signed and paid certificates" *wink*wink**nudge*nudge* that would be even better. Thanks JBG -------------- next part -------------- An HTML attachment was scrubbed... URL: </ripe/mail/archives/ripe-atlas/attachments/20190830/cc8ea44d/attachment.html>
- Previous message (by thread): [atlas] SSL Certificates for ripe anchors
- Next message (by thread): [atlas] SSL Certificates for ripe anchors
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]