-
Cynthia
what do people of jdev think of DNSSEC and DANE being used to authenticate TLS client and servers without a CA
-
Cynthia
is that cool?
-
moparisthebest
why not both ? but sure it's cool
-
Cynthia
DANE uses DNSSEC, i mean
-
Cynthia
you can't have one without the other
-
Cynthia
other than DNSSEC not being dependent on DANE
-
singpolyma
Certainly cool. Ideal, even
-
singpolyma
It's too easy to MITM without that
-
Cynthia
i'd absolutely like to be independent from CAs
-
moparisthebest
Cynthia, sorry I mean why not DNSSEC+DANE *and* signed by a CA ? that's what I've been running for... probably a decade or more
-
Cynthia
moparisthebest: ah
-
Cynthia
well, CA signing is a bit of a pain in the ass
-
moparisthebest
that way the things that support DANE don't care about the CA, and things that don't support DANE still trust my certs
-
moparisthebest
CA signing is easy, thanks letsencrypt ! I just use acme.sh
-
Cynthia
hahaha
-
Cynthia
before letsencrypt
-
singpolyma
For sure both is still necessary for most services during the transition period
-
Cynthia
you had to pay money to get your cert signed
-
moparisthebest
oh yea I remember the dark days please don't remind me
-
Cynthia
> For sure both is still necessary for most services during the transition period that's true
-
singpolyma
There were other free robot cas before letsencrypt
-
singpolyma
And there are others still now
-
singpolyma
ACME being standardized as a protocol for them all is nice though
-
singpolyma
Until we convince everyone to move to DANE
-
Cynthia
browsers still don't support DNSSEC+DANE
-
moparisthebest
as far as XMPP goes all the .im domains are a real problem
-
singpolyma
> as far as XMPP goes all the .im domains are a real problem There are several solutions to that. And it we get to the point where they are the only holdouts I will be very happy✎ ↺ -
singpolyma
Cynthia: browsers are a whole different security situation anyway
-
singpolyma
> as far as XMPP goes all the .im domains are a real problem There are several solutions to that. And if we get to the point where they are the only holdouts I will be very happy ✏ ↺
-
moparisthebest
I agree with the last part, for the first part there aren't really solutions
-
singpolyma
Sure there are. Change to a different TLD. Fix the TLD. Run a shadow root for the TLD. For just some examples
-
moparisthebest
Changing is the only "fix" under anyone here's control Fixing the TLD would of course be nice Running a DLV is silly as it'd be worse than the current CA system
-
moparisthebest
Don't forget XMPP has 0 support for changing domains 🥲