Quite old, but still interesting video from DefCon19 about CAs, DNSSEC and that Convergence project as one of the possible solutions.
https://www.youtube.com/watch?v=pDmj_xe7EIQ On Thu, Sep 3, 2015 at 8:59 PM, Kim Alvefur <[email protected]> wrote: > On 2015-09-03 20:31, Evgeny Khramtsov wrote: > > Thu, 3 Sep 2015 20:25:27 +0200 > > Kim Alvefur <[email protected]> wrote: > > > >> But seriously, DANE works already¹, why haven't you deployed it > >> yet? :) > > > > That's not true. In some national domains there is no dnssec support. > > So DANE works in some countries only. > > > > Note the smiley. Just because there isn't 100% deployment yet, doesn't > mean that it does not work today. I had to switch registrar, self-host > my authoritative DNS server and write a bunch of tooling to deploy DANE. > So > > On 2015-09-03 19:25, Andreas Tauscher wrote: > > And since it is DNS based it would be > > easy to implement. > > not so much. But it's getting easier. And you can set it up today if > you are careful with your choice of TLD, registrar and dns hosting. And > there will still be CA-issued certificates around for a long time, so > any alternative is likely to be used in parallel where possible and > deployed. > > -- > Kim "Zash" Alvefur > >
