[Discuss] free SSL certs from the EFF
Joe Polcari
Joe at Polcari.com
Mon Nov 24 14:24:17 EST 2014
I also use dns-sec and feed it to my devices.
-----Original Message-----
From: discuss-bounces+joe=polcari.com at blu.org
[mailto:discuss-bounces+joe=polcari.com at blu.org] On Behalf Of Matthew Gillen
Sent: Monday, November 24, 2014 1:53 PM
To: discuss at blu.org
Subject: Re: [Discuss] free SSL certs from the EFF
Related to the discussion of how X509 is broken and various hacks to
make it work:
What I would really like to see is a scheme adopted like SPF for mail: a
TXT DNS entry for your domain that has the CA (or a fingerprint for the
CA, or maybe the whole public cert). That way you can be unequivocal
about who the valid CA for your domain is.
To me that would solve the biggest problem with the "set of 'trusted'
CAs" issue.
This is not without new attack vectors: you can only trust DNS responses
as far as DNS-SEC goes, which unfortunately ends one-hop before
end-systems (unless you run your own DNS server and force everything on
your home network to use that; which I do but don't know how common that
is).
Matt
_______________________________________________
Discuss mailing list
Discuss at blu.org
http://lists.blu.org/mailman/listinfo/discuss
More information about the Discuss
mailing list