Re: ca-certificates: no more cacert.org certificates?!?

To: debian-devel@lists.debian.org
Subject: Re: ca-certificates: no more cacert.org certificates?!?
From: Peter Palfrader <weasel@debian.org>
Date: Mon, 24 Mar 2014 14:58:55 +0100
Message-id: <[🔎] 20140324135855.GN1469@anguilla.noreply.org>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 53303829.4020805@antipoul.fr>
References: <[🔎] 1547064.xn0OUe3ytz@debstor> <[🔎] 3856734.0yBdCnFHx2@debstor> <[🔎] 87k3blxscz.fsf@xoog.err.no> <[🔎] 1722468.nyLnYD01gx@debstor> <[🔎] 20140324013843.GB12189@bongo.bofh.it> <[🔎] lgpbl0$ncd$1@ger.gmane.org> <[🔎] 53303829.4020805@antipoul.fr>

On Mon, 24 Mar 2014, Adrien CLERC wrote:

> Le 24/03/2014 14:23, Raphael Geissert a écrit :
> >> Anyway, I strongly recommend that nobody waste their time on an issue
> >> which in a couple of years will be much less relevant thanks to DANE.
> > If only people actually used DNSSEC and DANE - Chromium/Google Chrome dropped 
> > support for the latter due to the lack of use[1].
> >
> > [1]https://www.imperialviolet.org/2011/06/16/dnssecchrome.html
> >
> Lack of use? No kidding. TLSA RRs have been promoted to IETF proposed
> standard in August 2012[1]. And DNS servers haven't support for them
> since recently (I'd say 6 months to 1 year).

DNS servers have supported them for years;  RFC3597 is over a decade old
by now.

>             The issue with that kind of protocol is that you must trust
> your resolver, or have a resolver on your machine, bypassing any
> existing resolver cache of your network provider.

A local validating resolver is not incompatible with using your
provider's recursor (if you actually believe that buys you anything).

-- 
                           |  .''`.       ** Debian **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/

Reply to:

Follow-Ups:
- Re: ca-certificates: no more cacert.org certificates?!?
  - From: Edward Allcutt <edward@allcutt.me.uk>
- Re: ca-certificates: no more cacert.org certificates?!?
  - From: Wouter Verhelst <wouter@debian.org>

References:
- ca-certificates: no more cacert.org certificates?!?
  - From: Dmitry Smirnov <onlyjob@debian.org>
- Re: ca-certificates: no more cacert.org certificates?!?
  - From: Dmitry Smirnov <onlyjob@debian.org>
- Re: ca-certificates: no more cacert.org certificates?!?
  - From: Tollef Fog Heen <tfheen@err.no>
- Re: ca-certificates: no more cacert.org certificates?!?
  - From: Dmitry Smirnov <onlyjob@debian.org>
- Re: ca-certificates: no more cacert.org certificates?!?
  - From: md@Linux.IT (Marco d'Itri)
- Re: ca-certificates: no more cacert.org certificates?!?
  - From: Raphael Geissert <geissert@debian.org>
- Re: ca-certificates: no more cacert.org certificates?!?
  - From: Adrien CLERC <adrien@antipoul.fr>

Prev by Date: Re: ca-certificates: no more cacert.org certificates?!?
Next by Date: Re: How long should a transition last for a package only in Sid/Testing
Previous by thread: Re: ca-certificates: no more cacert.org certificates?!?
Next by thread: Re: ca-certificates: no more cacert.org certificates?!?
Index(es):
- Date
- Thread