BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] free SSL certs from the EFF
- Subject: [Discuss] free SSL certs from the EFF
- From: me at mattgillen.net (Matthew Gillen)
- Date: Mon, 24 Nov 2014 13:52:44 -0500
- In-reply-to: <BN3PR0401MB1204BAB10AE6249C54E4E81BDC760@BN3PR0401MB1204.namprd04.prod.outlook.com>
- References: <546C4823.6060900@gmail.com> <BN3PR0401MB1204BAB10AE6249C54E4E81BDC760@BN3PR0401MB1204.namprd04.prod.outlook.com>
Related to the discussion of how X509 is broken and various hacks to make it work: What I would really like to see is a scheme adopted like SPF for mail: a TXT DNS entry for your domain that has the CA (or a fingerprint for the CA, or maybe the whole public cert). That way you can be unequivocal about who the valid CA for your domain is. To me that would solve the biggest problem with the "set of 'trusted' CAs" issue. This is not without new attack vectors: you can only trust DNS responses as far as DNS-SEC goes, which unfortunately ends one-hop before end-systems (unless you run your own DNS server and force everything on your home network to use that; which I do but don't know how common that is). Matt
- Follow-Ups:
- [Discuss] free SSL certs from the EFF
- From: blu at nedharvey.com (Edward Ned Harvey (blu))
- [Discuss] free SSL certs from the EFF
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] free SSL certs from the EFF
- From: Joe at Polcari.com (Joe Polcari)
- [Discuss] free SSL certs from the EFF
- References:
- [Discuss] free SSL certs from the EFF
- From: tmetro+blu at gmail.com (Tom Metro)
- [Discuss] free SSL certs from the EFF
- From: blu at nedharvey.com (Edward Ned Harvey (blu))
- [Discuss] free SSL certs from the EFF
- Prev by Date: [Discuss] Very odd RCN behavior, PC can connect, but not, routers
- Next by Date: [Discuss] free SSL certs from the EFF
- Previous by thread: [Discuss] free SSL certs from the EFF
- Next by thread: [Discuss] free SSL certs from the EFF
- Index(es):
