> From: Paul Wouters <[email protected]> > Note though, that TLSA can pin either the CA or the EE cert. If you pin > the CA cert, then an attacker could just get _any_ cert from the same CA > and still subvert you. If you had choosen to pin the EE cert, then the > attack would have failed completely.
Instead of pinning (certificate useage 1) and so remaining dependent on and paying to get your certs signed by the pile of fleckless, insecure commercial CA certs in browsers, why not opt-out of the commercial PKI fraud entirely with usage 2 or 3? Besides being more secure with usage 2 or 3, because a rogue CA cert in those nasty browser piles won't be able to sign your web pages even while DNSSEC and your pinning TLSA records are blocked, you wouldn't pay commercial PKI potection money. Note also that usage 2 or 3 can specify your own self-signed CA cert, which can simplify your cert management. Vernon Schryver [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
