nanog mailing list archives
Re: Certificates for DoT and DoH?
From: Bjørn Mork <bjorn () mork no>
Date: Mon, 28 Feb 2022 21:03:48 +0100
Bill Woodcock <woody () pch net> writes:
Does this mean that DigiCert is the only alternative?I assume not, but we’d already used them for other things, and they didn’t have a problem doing it, so we didn’t shop any further.
Makes sense. That's how I started as well. But we are using Buypass, and for some unknown reason they did have a problem doing it.
And do they really have this offer for ordinary users, or is this also some special arrangement for big players only?No, we didn’t have to do anything special, to the best of my knowledge.
Good to know. Thanks
That does make me wonder how they verify that I'm the rightful owner of "sites, IP addresses, common names, etc.". In particular, "etc" :-) Or you could ask yourself if you trust a CA with such an offer...Yep. DANE is the correct answer. CAs are not. But that’s been true for a very long time, and people are still trying to pretend that CAs know what’s what.
Agree 100%. Now I'm going to ask another stupid question: How would DANE work for DoT/DoH? Having TLSA records in in-addr.arpa and ip6.arpa? Bjørn
Current thread:
- Certificates for DoT and DoH? Bjørn Mork (Feb 28)
- Re: Certificates for DoT and DoH? Bill Woodcock (Feb 28)
- Re: Certificates for DoT and DoH? Bjørn Mork (Feb 28)
- Re: Certificates for DoT and DoH? John Todd (Feb 28)
- Re: Certificates for DoT and DoH? Bjørn Mork (Feb 28)
- RE: Certificates for DoT and DoH? David Guo via NANOG (Feb 28)
- Re: Certificates for DoT and DoH? Bjørn Mork (Feb 28)
- Re: Certificates for DoT and DoH? Bill Woodcock (Feb 28)