On Wed, Nov 30, 2022 at 11:35:09PM +, Ollie wrote:
> It increases the barrier of entry to someone having ownership of a
> valid domain, configuring a full DNSSEC chain and configuring a valid
> certificate with an appropriate DANE record. Everyone of those
> trillion requests would need to be
Hi Bas,
Good question - my suggestion is for CT logs to check for the DANE records as
explained in this git repo: https://github.com/OllieJC/justselfsigned.org
Here's a copy:
Unfortunately, existing CT logs do not support SSCs (self-signed certificates)
due to spam concerns (rfc6962). The
I don't see how your proposal prevents spam. With your proposal as is,
nothing stops me from adding trillions of self-signed certificates to the
CT logs.
Best,
Bas
On Wed, Nov 30, 2022 at 8:55 PM Ollie
wrote:
> Hi Bas,
>
> Good question - my suggestion is for CT logs to check for the DANE
It increases the barrier of entry to someone having ownership of a valid
domain, configuring a full DNSSEC chain and configuring a valid certificate
with an appropriate DANE record. Everyone of those trillion requests would need
to be a real domain, with full DNSSEC and signatures added to TLSA
On Tue, Nov 29, 2022 at 04:04:58PM +0100, Bas Westerbaan wrote:
> > On the other hand, the actual certificates are not what one
> > would want to log anyway. Instead one would only want to log DS RRsets
> > or NODATA proofs from eTLD registries (gTLDs, ccTLDs and also various
> > 2LD, 3LD, ...
