This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/ripe-atlas@ripe.net/
[atlas] SSL Certificates for ripe anchors
- Previous message (by thread): [atlas] SSL Certificates for ripe anchors
- Next message (by thread): [atlas] SSL Certificates for ripe anchors
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Bjørn Mork
bjorn at mork.no
Fri Aug 30 23:33:43 CEST 2019
Randy Bush <randy at psg.com> writes: >> Which is the reason why no major browser does TLSA validation. > > well. there is the extra protocol turn. agl tried and backed off, > seemingly because of that. I hear that. And I see them pushing DNS over HTTPS at the same time. Doesn't really compute... They are so good at making up excuses. A couple of yours ago they didn't need TLSA validation beacuse HPKP was so much better: https://www.imperialviolet.org/2015/01/17/notdane.html Where did that go? Oh, yes, turns out it wasn't such a good idea anyway: https://ordina-jworks.github.io/security/2018/02/12/HPKP-deprecated-what-now.html So now we're back to ultimate trust in the CAs again, using CT and CAA. Nice move. > but, if we want to encourage tlsa, recommended values for the three > lovely but obscure (after all, it is the dns) parameters. victor > whacked me into using 211 with let's encrypt certs. I prefer 3 1 1 for my certs, pinning my own key regardless of who else signed it. Bjørn
- Previous message (by thread): [atlas] SSL Certificates for ripe anchors
- Next message (by thread): [atlas] SSL Certificates for ripe anchors
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]