But more importantly the problem the original poster was talking about was distinguishing a legit LE cert from a bogus Symantec cert. ACME can’t help with that.
-
-
Replying to @tqbf @jarrodfrates and
No, no it can't. DNSSEC could have. You get a record of canonical global truth out of DNSSEC. Instead we're just sort of hobbling along with Cert Transparency on this front.
2 replies 0 retweets 1 like -
Replying to @dakami @jarrodfrates and
No, DNSSEC fails essentially the same way: your signatures on your records will be indistinguishable from someone else’s signatures that happen to be delegated during the attack window.
1 reply 0 retweets 1 like -
Replying to @tqbf @jarrodfrates and
No, it really doesn't, because GoDaddy (as Not Your Registrar) can't issue signatures in the same way every single CA can. Even if they want to. Verisign can, but you can abandon Verisign. Good luck getting the root to do anything.
2 replies 0 retweets 0 likes -
Anyway, this is all lots better than the DNS hater solution (you're not at all alone here). Because it exists.
1 reply 0 retweets 1 like -
Replying to @dakami @jarrodfrates and
I’m not even arguing I’m just trying to figure out how we’re talking about Lets Encrypt.
1 reply 0 retweets 0 likes -
The analog in the modern Web PKI that the original questioner was looking for (to CAA) is CT.
3 replies 0 retweets 2 likes -
I'm so late to this that but I had to jump in & say that the analog to webpki the original poster wanted is definitely not CT, which does not enforce connection security based on website desires - it's HPKP (in HTTP) or DANE (in DNS). You can argue dane doesn't work which is fine
1 reply 0 retweets 0 likes -
Replying to @TomRittervg @tqbf and
I wanted a solution that gets part of the assurance of HKPK without the giant PITA that is HKPK, which Chrome is deprecating anyway. https://www.chromestatus.com/feature/5903385005916160 …
2 replies 0 retweets 0 likes -
Replying to @jarrodfrates @tqbf and
Maybe the browsers need to maintain a mapping of common CA name ("digicert") -> roots, and let HPKP specify CA name. (Doesn't solve pinning to leafs though)
1 reply 0 retweets 0 likes
That seems easily doable (updated every major browser version) with CCADB. (cc @wthayer )
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.