[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ca-certificates: no more cacert.org certificates?!?

Le 24/03/2014 14:23, Raphael Geissert a écrit :
>> Anyway, I strongly recommend that nobody waste their time on an issue
>> which in a couple of years will be much less relevant thanks to DANE.
> If only people actually used DNSSEC and DANE - Chromium/Google Chrome dropped 
> support for the latter due to the lack of use[1].
>
> [1]https://www.imperialviolet.org/2011/06/16/dnssecchrome.html
>
Lack of use? No kidding. TLSA RRs have been promoted to IETF proposed
standard in August 2012[1]. And DNS servers haven't support for them
since recently (I'd say 6 months to 1 year).
If I understood correctly, Chromium/Google Chrome only supported DNSSEC
validation. The issue with that kind of protocol is that you must trust
your resolver, or have a resolver on your machine, bypassing any
existing resolver cache of your network provider.
However, I'm using DNSSEC Validator[2] on Firefox for quite a long time,
and I'm very happy with it. I'll be glad to see it merged, so that we
can really get rid of those EV x509 certificates, and be able to provide
secure self-hosting solutions for everyone without big scary warnings.

[1]http://tools.ietf.org/html/rfc6698
[2]https://www.dnssec-validator.cz/

Have a good day,

Adrien
Reply to: