At the moment, Let's Encrypt primarily issues certificates based on insecure, authenticated HTTP-based validation of domain control.
They validate DNSSEC but the HTTP-01 method by itself is insecure and the DNS-01 method requires giving servers DNS API access which isn't good.
Conversation
This Tweet was deleted by the Tweet author. Learn more
i don't remember what the specifics are, but they check from multiple servers distributed around the world
1
oh, their checks aren't as diverse as i thought but it's a good start i guess letsencrypt.org/2020/02/19/mul
1
They appear to consistently check from 2 perspectives. If there's an attacker with a MITM to both locations, there's currently no way to defend against them getting a Let's Encrypt certificate until they ship the nice accounturi feature. DNSSEC + accounturi gives secure issuance.
This Tweet was deleted by the Tweet author. Learn more
WebPKI is build on poorly verifying domain control based on DNS. WebPKI depends on DNS security. Removing CAs from the picture and using DANE TLSA doesn't require trusting any additional parties but rather reduces trust to the entities in control of naming, who you trust anyway.
It doesn't move the problem. It eliminates the vast majority of the problem and makes the core root of trust which was still there in the CA system much more clear. You choose your TLD based on who you trust. You still trust them if you use WebPKI. They can get a certificate.
1
1
If you used the .ca TLD, the Canadian government has the control needed to obtain a certificate for your domain without your consent if they choose. Why would you also want to trust tens of thousands of CA and sub-CA entities instead of TLD + registrar? There's also non-IANA DNS.
2
1
Show replies