On Fri, Aug 30, 2019, 18:34 Bjørn Mork <bjorn@mork.no> wrote:
Sander Steffann <sander@steffann.nl> writes:
Yep. I wish the use of TLSA was more wide spread. It doesn't require third parties to "certify" who is who.
+1
There is still too much money in the CA business.
I would argue not but given that ripe itself is still paying digicert that arguement would be muted Which is the reason
why no major browser does TLSA validation.
*<Citation needed>* And why "best practices"
allow, or even recommend, inferior solutions like CAA, HPKP and other bad ideas instead of DANE.
How on earth is having a CAA record which pin points who is allowed to issue certificates on your behalf an inferiour solution. A RR that you use with DANE btw o_O You gotta look at the source of those
recommendations. They are most likely "best" for someones wallet. Not necessarily for security.
Still no one has answered why ripe is using self signed certs for anchor when they can use let's encrypt for free... It's amazing that they still try to make those pigs fly.
Who are they? The evil certificate cabal that is out to destroy the world? Do I need to start wearing my tin foil hat when I go out riding and storm area 51 while i'm at it ;) In anycase to stay on topic. If the person or team that is responsible for the certificates on anchors can answer why they choose to use self signed certs, and why the ripe community is still paying for digicert when there is equally good, free signed alternative in an open community available,that would be good. If the answer is "we have not gotten around to it yet, but are planning to switch to let's encrypt for our self signed and paid certificates" *wink*wink**nudge*nudge* that would be even better. Thanks JBG