ssl (20/09/17 18:15:11)
The not as good side is that all websites need to:
-spend money on certificates.
-reveal their identity
-or spend more money on hiding their identity.
( Roll back the clock to '95. There wouldn't be Fravia - at least not for long.)
Now the OTHER thing seems to be more interesting and maybe solving the top problem together with others. The Certification Authority Authorization (CAA), specified in RFC 6844 in 2013 - targets the problem that Certification authorities are scopeless - basically ANY CA on your browsers built-in list can validate ANY website - which is pretty brainless IMO. CAA supposed to solve this, by giving the CAs scope:
"CAA creates a DNS mechanism that enables domain name owners to whitelist CAs that are allowed to issue certificates for their hostnames. It operates via a new DNS resource record (RR) called CAA (type 257). Owners can restrict certificate issuance by specifying zero or more CAs; if a CA is allowed to issue a certificate, their own hostname will be in the DNS record."
Now it seems that if a website owner want to issue a certificate, the only thing they need to control is their DNS - which looks more friendly right now.
I for one have a RootCA generating Intermediates to my .nets and .orgs, whom generate certs to all the subdomains. BUT because my RootCA is selfvalidated as well if any of my friends want to get to those sites they need to be able and willing to import my CA (chain) to their browser ( inconvenient/difficult/could be even risky ). Now if my DNS could define my CA that would be wonderful.
|back to main board||expand thread|