"Proxy Certificates: The Missing Link in the Web’s Chain of Trust"
- https://arxiv.org/pdf/1906.10775.pdf …
cc @jedisct1
-
Show this thread
-
"Short-lived certificates provide comparable security and efficiency benefits to OCSP stapling. 4 days is a suggested validity period. Questions remain, however, around the feasibility of reducing this period to a few minutes"
1 reply 0 retweets 1 likeShow this thread -
it reminds me of https://00f.net/2019/05/04/fixing-expired-certificates/ …
1 reply 0 retweets 0 likes -
yup - that's in part why I cc'd Frank :)
1 reply 0 retweets 0 likes -
Using proxy certificates is also how I’ve always been recommending to run DoH servers, for a different reason:https://github.com/jedisct1/rust-doh#operational-recommendations …
1 reply 0 retweets 0 likes -
ESNI should fix this, right?
2 replies 0 retweets 0 likes
Nope. You already need an established connection to a resolver to use it. And a bootstrap resolver. Unless the client directly connect to IPs, and already knows the server PK. Which is reinventing DNSCrypt, with extra overhead.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.