Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month, online, via Jitsi Meet.

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] free SSL certs from the EFF

I also use dns-sec and feed it to my devices.

-----Original Message-----
From: discuss-bounces+joe=polcari.com at blu.org
[mailto:discuss-bounces+joe=polcari.com at blu.org] On Behalf Of Matthew Gillen
Sent: Monday, November 24, 2014 1:53 PM
To: discuss at blu.org
Subject: Re: [Discuss] free SSL certs from the EFF

Related to the discussion of how X509 is broken and various hacks to 
make it work:
What I would really like to see is a scheme adopted like SPF for mail: a 
TXT DNS entry for your domain that has the CA (or a fingerprint for the 
CA, or maybe the whole public cert).  That way you can be unequivocal 
about who the valid CA for your domain is.

To me that would solve the biggest problem with the "set of 'trusted' 
CAs" issue.

This is not without new attack vectors: you can only trust DNS responses 
as far as DNS-SEC goes, which unfortunately ends one-hop before 
end-systems (unless you run your own DNS server and force everything on 
your home network to use that; which I do but don't know how common that 
is).

Matt
_______________________________________________
Discuss mailing list
Discuss at blu.org
http://lists.blu.org/mailman/listinfo/discuss
BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix / webmaster@blu.org