So you may know I mismanage www.tcpdump.org. We have a half-dozen mirrors of the site (and code) around the world, all of them donated. 100M of disk space or something... Most answer to www.tcpdump.org as a virtual host, some have their own URLs. HTTP based virtual hosting is simple and cheap, and anyone can put up a mirror using rsync, and then I put the A and AAAA records in along with an extra name like www.us.tcpdump.org (hosted by wireshark).
Now, www.us.tcpdump.org shares a host with www.wireshark.org, and https://www.wireshark.org also exists, and my impression is that some browsers are now doing things like trying port-443, and if it works, assuming that the same content is there. (No, you can't exactly try, because I pulled that IP from www.tcpdump.org pending resolution) Let's assume that I want to make this true (that www.tcpdump.org is https-everywhere), we need at a minimum, universal SNI or I need to enable this only when there is a unique v6 (because v4 is too scarce) available. Okay, that solves the VirtualHost issue... but it seems that I still have a certificate and private key issue. I could buy certificates for all sites, or... ? is there some technology I've missed? I could go DANE with self-signed certificates, which has some advantage. In theory, one could have a dozen TLSA RR in DNS, and fortunately they won't clog up the apex; but in practice are browsers that support DANE smart enough at this point to search all the records? Going DANE assumes browsers new enough to do SNI, which I guess is good. I wish we had signed HTTP objects instead, so that I could just sign the web site *contents*, and let the content distribution systems do their job, and let me do mine. (hey, the entire http site contents is also on github) Privacy could be machine to machine, while authentication be browser to web site owner... {I'm allowed to dream, aren't I?} I know that we have this issue with SMTP pointing MX records for example.com at ISP mail.example.net, and the names not matching, and I guess we are doing something there. Am I missing some piece of the puzzle? Some contemplated aspect of TLSA which might let me say, "www.wireshark.org is an allowed name for www.tcpdump.org"?? -- Michael Richardson <[email protected]>, Sandelman Software Works -= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
