Just realized another problem outsourcing your infra to a third party. When I migrate my blog, how the hell am I suppose to revoke the certificate that Google has for it? They refuse to allow me to claim my account.
Conversation
Luckily, they keep a short life for it, so it'll expire at the end of May, but it'd be nice to revoke it earlier.
They are using Let's Encrypt for it, maybe I can convince Let's Encrypt to revoke is via control of the domain.
1
1
Replying to
You can revoke it:
letsencrypt.org/docs/revoking/
It would be very difficult to revoke with most other CAs.
If browsers enforced DNSSEC and DANE TLSA records then you could simply add a TLSA record for your current public key and other keys wouldn't be trusted.
Sadly, browsers want to bury their heads in the sand and pretend that WebPKI (Domain Validation) isn't bootstrapped from DNS.
1
2
Replying to
Thanks for the link. Figured it'd be easy.
I use TLSA records, but as you say browsers want to pretend that DV aren't backed by dns. Funny part is that I use dns-01 for validating my certs with them.
1
Show replies