Re: Certificates for DoT and DoH?

[Bjørn Mork <bjorn () mork no>]

Bill Woodcock <woody () pch net> writes:

> > Does this mean that DigiCert is the only alternative?
>
> I assume not, but we’d already used them for other things, and they
> didn’t have a problem doing it, so we didn’t shop any further.

Makes sense.  That's how I started as well.  But we are using Buypass,
and for some unknown reason they did have a problem doing it.


> > And do they really have this offer for ordinary users, or is this also some special
> > arrangement for big players only?
>
> No, we didn’t have to do anything special, to the best of my knowledge.

Good to know.  Thanks

> > That does make me wonder how they verify that I'm the rightful owner of
> > "sites, IP addresses, common names, etc.".  In particular, "etc" :-)
> > Or you could ask yourself if you trust a CA with such an offer...
>
> Yep.  DANE is the correct answer.  CAs are not.  But that’s been true
> for a very long time, and people are still trying to pretend that CAs
> know what’s what.


Agree 100%.

Now I'm going to ask another stupid question:  How would DANE work for
DoT/DoH?  Having TLSA records in in-addr.arpa and ip6.arpa?


Bjørn