Certificates for DoT and DoH?
Bjørn Mork
bjorn at mork.no
Mon Feb 28 20:03:48 UTC 2022
Bill Woodcock <woody at pch.net> writes:
>> Does this mean that DigiCert is the only alternative?
>
> I assume not, but we’d already used them for other things, and they
> didn’t have a problem doing it, so we didn’t shop any further.
Makes sense. That's how I started as well. But we are using Buypass,
and for some unknown reason they did have a problem doing it.
>> And do they really have this offer for ordinary users, or is this also some special
>> arrangement for big players only?
>
> No, we didn’t have to do anything special, to the best of my knowledge.
Good to know. Thanks
>> That does make me wonder how they verify that I'm the rightful owner of
>> "sites, IP addresses, common names, etc.". In particular, "etc" :-)
>> Or you could ask yourself if you trust a CA with such an offer...
>
> Yep. DANE is the correct answer. CAs are not. But that’s been true
> for a very long time, and people are still trying to pretend that CAs
> know what’s what.
Agree 100%.
Now I'm going to ask another stupid question: How would DANE work for
DoT/DoH? Having TLSA records in in-addr.arpa and ip6.arpa?
Bjørn
More information about the NANOG
mailing list