[atlas] SSL Certificates for ripe anchors

On Fri, Aug 30, 2019, 20:30 Randy Bush <randy at psg.com> wrote:

> > There is still too much money in the CA business.
>
> well, though on the surface i agree, i do not take it as a motivation to
> add one more chunk of sysadmin.
>
> > Which is the reason why no major browser does TLSA validation.
>
> well. there is the extra protocol turn.  agl tried and backed off,
> seemingly because of that.
>

The problem with the added extra lookup which added more latency, which
increased the chances for packet loss, causing expensive timeouts and
retransmitions had been somewhat worked on but abandoned [1] and wont be
revisited due to [2] being the browser community take on this afaik.

Given that Let's encrypt own root which was supposed to be pushed out this
July but got delayed til 2020 is widely trusted by browser, one can hardly
claim that the browser community is run by some "cert cabal"

If the "cert cabal" will try anything it will be to block acceptance and or
usage of self and Let's encrypt signed certs with high profile cloud
providers because that's where the money is and corporates are somewhat
vendor locked in there, which makes them an easy pray for additional fees..

JBG

1.
https://www.imperialviolet.org/2011/06/16/dnssecchrome.html
2. http://www.certificate-transparency.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/ripe-atlas/attachments/20190830/3b9f517c/attachment.html>