This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/ripe-atlas@ripe.net/
[atlas] SSL Certificates for ripe anchors
- Previous message (by thread): [atlas] SSL Certificates for ripe anchors
- Next message (by thread): [atlas] SSL Certificates for ripe anchors
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Bruno Pagani
bruno.pagani at ens-lyon.org
Sat Aug 31 15:09:29 CEST 2019
Le 30/08/2019 à 20:32, Gert Doering a écrit : > Hi, > > On Fri, Aug 30, 2019 at 03:08:06PM +0000, Jóhann B. Guðmundsson wrote: >>> Yep. I wish the use of TLSA was more wide spread. It doesn't require third parties to "certify" who is who. >> The third parties that "certify" are for others to establish trust in >> that you are who you claim to be not because its "required" and the >> security industry has deemed those who do not atleast get some other >> entity to validate, not to be worthy of trust. > TLSA does all this, without requiring some other entity that follows their > own agenda to "certify" anything. You need to trust the DNS root KSK, > of course, but everything else follows the normal DNSSEC chain. Not quite true, you also need to trust your registrar, as they could change the enrolled DNSSEC key and glue records. Though this is way more visible than a rogue certificate used ponctually for some targets. ;)
- Previous message (by thread): [atlas] SSL Certificates for ripe anchors
- Next message (by thread): [atlas] SSL Certificates for ripe anchors
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]