This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/ripe-atlas@ripe.net/
[atlas] SSL Certificates for ripe anchors
- Previous message (by thread): [atlas] SSL Certificates for ripe anchors
- Next message (by thread): [atlas] SSL Certificates for ripe anchors
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Bjørn Mork
bjorn at mork.no
Fri Aug 30 23:20:49 CEST 2019
Jóhann B. Guðmundsson <johannbg at gmail.com> writes: > How on earth is having a CAA record which pin points who is allowed to > issue certificates No, it doesn't. It's merely a hint to CAs. It cannot prevent spoofed certificates if any CA is compromised, or fails to validate the CAA record for other reasons. TLS clients are unable to detect spoofed certificates using CAA, since there is no sane way to map between CA certificate and the CAA record. It depends on ultimate trust in every browser root CA. CAA is mostly smoke and mirrors. TLSA allows you to pin CA certificates or server certificates so that it can be validated by everyone. It will protect against rogue or compromised CAs. And you don't need to trust any of them. You can pin your own certificate instead. Yes, CAA is inferior. It would have been funny if it wasn't for the fact that people actually believe in this stuff. Bjørn
- Previous message (by thread): [atlas] SSL Certificates for ripe anchors
- Next message (by thread): [atlas] SSL Certificates for ripe anchors
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]