This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[atlas] SSL Certificates for ripe anchors

Previous message (by thread): [atlas] SSL Certificates for ripe anchors
Next message (by thread): [atlas] SSL Certificates for ripe anchors

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Bjørn Mork bjorn at mork.no
Fri Aug 30 23:20:49 CEST 2019

Jóhann B. Guðmundsson <johannbg at gmail.com> writes:

> How on earth is having a CAA record which pin points who is allowed to
> issue certificates

No, it doesn't.  It's merely a hint to CAs. It cannot prevent spoofed
certificates if any CA is compromised, or fails to validate the CAA
record for other reasons.  TLS clients are unable to detect spoofed
certificates using CAA, since there is no sane way to map between CA
certificate and the CAA record. It depends on ultimate trust in every
browser root CA. CAA is mostly smoke and mirrors.

TLSA allows you to pin CA certificates or server certificates so that it
can be validated by everyone. It will protect against rogue or
compromised CAs. And you don't need to trust any of them.  You can pin
your own certificate instead.

Yes, CAA is inferior. It would have been funny if it wasn't for the fact
that people actually believe in this stuff.

Bjørn

Previous message (by thread): [atlas] SSL Certificates for ripe anchors
Next message (by thread): [atlas] SSL Certificates for ripe anchors

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ ripe-atlas Archives ]