jdev - 2024-12-29


  1. Cynthia

    what do people of jdev think of DNSSEC and DANE being used to authenticate TLS client and servers without a CA

  2. Cynthia

    is that cool?

  3. moparisthebest

    why not both ? but sure it's cool

  4. Cynthia

    DANE uses DNSSEC, i mean

  5. Cynthia

    you can't have one without the other

  6. Cynthia

    other than DNSSEC not being dependent on DANE

  7. singpolyma

    Certainly cool. Ideal, even

  8. singpolyma

    It's too easy to MITM without that

  9. Cynthia

    i'd absolutely like to be independent from CAs

  10. moparisthebest

    Cynthia, sorry I mean why not DNSSEC+DANE *and* signed by a CA ? that's what I've been running for... probably a decade or more

  11. Cynthia

    moparisthebest: ah

  12. Cynthia

    well, CA signing is a bit of a pain in the ass

  13. moparisthebest

    that way the things that support DANE don't care about the CA, and things that don't support DANE still trust my certs

  14. moparisthebest

    CA signing is easy, thanks letsencrypt ! I just use acme.sh

  15. Cynthia

    hahaha

  16. Cynthia

    before letsencrypt

  17. singpolyma

    For sure both is still necessary for most services during the transition period

  18. Cynthia

    you had to pay money to get your cert signed

  19. moparisthebest

    oh yea I remember the dark days please don't remind me

  20. Cynthia

    > For sure both is still necessary for most services during the transition period that's true

  21. singpolyma

    There were other free robot cas before letsencrypt

  22. singpolyma

    And there are others still now

  23. singpolyma

    ACME being standardized as a protocol for them all is nice though

  24. singpolyma

    Until we convince everyone to move to DANE

  25. Cynthia

    browsers still don't support DNSSEC+DANE

  26. moparisthebest

    as far as XMPP goes all the .im domains are a real problem

  27. singpolyma

    > as far as XMPP goes all the .im domains are a real problem There are several solutions to that. And it we get to the point where they are the only holdouts I will be very happy

  28. singpolyma

    Cynthia: browsers are a whole different security situation anyway

  29. singpolyma

    > as far as XMPP goes all the .im domains are a real problem There are several solutions to that. And if we get to the point where they are the only holdouts I will be very happy

  30. moparisthebest

    I agree with the last part, for the first part there aren't really solutions

  31. singpolyma

    Sure there are. Change to a different TLD. Fix the TLD. Run a shadow root for the TLD. For just some examples

  32. moparisthebest

    Changing is the only "fix" under anyone here's control Fixing the TLD would of course be nice Running a DLV is silly as it'd be worse than the current CA system

  33. moparisthebest

    Don't forget XMPP has 0 support for changing domains 🥲