Certificates for DoT and DoH?

Bjørn Mork bjorn at mork.no
Mon Feb 28 20:03:48 UTC 2022


Bill Woodcock <woody at pch.net> writes:

>> Does this mean that DigiCert is the only alternative?
>
> I assume not, but we’d already used them for other things, and they
> didn’t have a problem doing it, so we didn’t shop any further.

Makes sense.  That's how I started as well.  But we are using Buypass,
and for some unknown reason they did have a problem doing it.


>> And do they really have this offer for ordinary users, or is this also some special
>> arrangement for big players only?
>
> No, we didn’t have to do anything special, to the best of my knowledge.

Good to know.  Thanks

>> That does make me wonder how they verify that I'm the rightful owner of
>> "sites, IP addresses, common names, etc.".  In particular, "etc" :-)
>> Or you could ask yourself if you trust a CA with such an offer...
>
> Yep.  DANE is the correct answer.  CAs are not.  But that’s been true
> for a very long time, and people are still trying to pretend that CAs
> know what’s what.


Agree 100%.

Now I'm going to ask another stupid question:  How would DANE work for
DoT/DoH?  Having TLSA records in in-addr.arpa and ip6.arpa?


Bjørn


More information about the NANOG mailing list