On Fri, Dec 02, 2022 at 08:20:58PM +, Ollie wrote:
> That said, in reply to your points, I understand DANE to a level that I know
> PKIX isn't applicable to my original intention/query, so perhaps I haven't
> been clear with what I'm looking to achieve.
DANE has 4 certificate usages, and 2
now see the mailing list is active.
Ollie
-Original Message-
From: Viktor Dukhovni
Sent: 02 December 2022 09:36
To: tls
Subject: Re: [TLS] Trusting self-signed TLS certificates - specifically for
HTTPS
On Fri, Dec 02, 2022 at 06:40:25AM +, Ollie wrote:
> > There's nothing to be ga
On Fri, Dec 02, 2022 at 06:40:25AM +, Ollie wrote:
> > There's nothing to be gained by publishing SCTs in self-issued DANE-EE
> > validated certificates. Are you proposing to make SCTs mandatory in
> > DANE? Which user agents would insist on such SCTs and why? If not,
> > what problem would
> There's nothing to be gained by publishing SCTs in self-issued DANE-EE
> validated certificates. Are you proposing to make SCTs mandatory in
> DANE? Which user agents would insist on such SCTs and why? If not,
> what problem would optionally including them solve?
Yes, primarily for browser user
>
> I don't see this as different to the current spam potential with CT logs
> right now - anyone could distribute out the creation of a bunch certificate
> requests with the likes of Let's Encrypt and submit a bunch of certificate
> chains to CT logs.
Let's Encrypt (and other free CAs) have
On Wed, Nov 30, 2022 at 11:35:09PM +, Ollie wrote:
> It increases the barrier of entry to someone having ownership of a
> valid domain, configuring a full DNSSEC chain and configuring a valid
> certificate with an appropriate DANE record. Everyone of those
> trillion requests would need to be
It increases the barrier of entry to someone having ownership of a valid
domain, configuring a full DNSSEC chain and configuring a valid certificate
with an appropriate DANE record. Everyone of those trillion requests would need
to be a real domain, with full DNSSEC and signatures added to TLSA
I don't see how your proposal prevents spam. With your proposal as is,
nothing stops me from adding trillions of self-signed certificates to the
CT logs.
Best,
Bas
On Wed, Nov 30, 2022 at 8:55 PM Ollie
wrote:
> Hi Bas,
>
> Good question - my suggestion is for CT logs to check for the DANE
On Tue, Nov 29, 2022 at 04:04:58PM +0100, Bas Westerbaan wrote:
> > On the other hand, the actual certificates are not what one
> > would want to log anyway. Instead one would only want to log DS RRsets
> > or NODATA proofs from eTLD registries (gTLDs, ccTLDs and also various
> > 2LD, 3LD, ...
Hi Bas,
Good question - my suggestion is for CT logs to check for the DANE records as
explained in this git repo: https://github.com/OllieJC/justselfsigned.org
Here's a copy:
Unfortunately, existing CT logs do not support SSCs (self-signed certificates)
due to spam concerns (rfc6962). The
>
> On the other hand, the actual certificates are not what one
> would want to log anyway. Instead one would only want to log DS RRsets
> or NODATA proofs from eTLD registries (gTLDs, ccTLDs and also various
> 2LD, 3LD, ... suffixes operated by TLD registries).
This is the case if you run
On Mon, Nov 28, 2022 at 06:23:36PM -0800, Eric Rescorla wrote:
> Thanks for the elaboration, Viktor.
>
> I think the TL;DR here is that this isn't TLS-relevant work at present.
> Either you get the certs directly or you get them via RFC 9102 but in
> either case, TLS has the appropriate support.
Thanks for the elaboration, Viktor.
I think the TL;DR here is that this isn't TLS-relevant work at present.
Either you get the certs directly or you get them via RFC 9102 but in
either case, TLS has the appropriate support.
If you don't need CT--I'm not entirely persuaded by Viktor's argument
On Tue, Nov 29, 2022 at 01:04:14AM +0100, Bas Westerbaan wrote:
> > In essence, I'm proposing that user agents should trust a fully DNSSEC
> > domain with a TLS certificate set up using DANE, along with changes to CT
> > log submission process to allow self-signed certificates (looking to
> >
>
> In essence, I'm proposing that user agents should trust a fully DNSSEC
> domain with a TLS certificate set up using DANE, along with changes to CT
> log submission process to allow self-signed certificates (looking to
> suggest via rfc9162).
>
How do you propose we prevent CT from being DoSed
On Mon, Nov 28, 2022 at 12:27:07PM -0800, Eric Rescorla wrote:
> How much of the TLS part of this objective is achieved by RFC 9102?
Well, RFC9102 is at a different layer. It provides a mechanism for
clients to obtain a TLSA RRset by other means than direct DNS lookup,
because that often runs
16 matches
Mail list logo
