[Discuss] free SSL certs from the EFF
Richard Pieri
richard.pieri at gmail.com
Thu Dec 4 13:00:44 EST 2014
On 12/4/2014 12:15 PM, Joe Polcari wrote:
> To me, that's a good reason for things to stop working.
For certain values of "good" I suppose.
Good news: your email wasn't hacked.
Bad news: you're fired for failing to submit your reports on time.
On 12/4/2014 12:36 PM, John Hall wrote:
> I had not heard of DANE (DNS based authentication of named
> entities). I found found rfc-6698 in a search .. not sure if anyone
> mentioned it yet.
> https://datatracker.ietf.org/doc/rfc6698/
I think Firefox 34 takes note of it. It's a digital signature from a
host's TLS key added to that host's DNS records which you can use
instead of following the X.509 trust chain to verify the certificate.
Which is to say, it shifts trust away from certificate authorities like
VeriSign to top-level DNS registrars like VeriSign.
And it has the same failure modes and lack of failure mitigation that
DNSSEC has.
--
Rich P.
More information about the Discuss
mailing list