On Tue, Jun 24, 2014 at 4:21 PM, Matthew Ghali <[email protected]> wrote:
> On Jun 24, 2014, at 9:29 AM, Robert Willmann <[email protected]> > wrote: > > > The argument, that you won't get a certificate for these names from > someone who > > is regognized by your browser isn't valid: As you only would use such a > > internal domain for your internal network, you would have to create a > internal > > CA anyway (and put it in your browsers). > > You may be much smarter than me, but I have found that establishing and > maintaining a full internal PKI is a bit more complicated than purchasing a > certificate. Unless you're talking about half-assing it, in which case I'd > wonder what the value of the eventual leaf certificates actually are, > besides security theater. > Exactly what I keep telling people when they start to suggest that DNSSEC or DANE or whatever will make CAs go out of business (I work for Comodo). The cost of a competent PKI specialist is at least $250/hr (unless you have them a very long time and negotiate a lower rate). And finding one will cost you much more than that. A course on DNS/DNSSEC will cost $2000. Same for PKI. Buy a cert and you get free tech support from someone who does nothing but walk people through installing certs all day.
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
