dnssec-trigger + GNOME + NetworkManager integration
Petr Spacek
pspacek at redhat.com
Fri Jul 3 13:43:28 UTC 2015
On 2.7.2015 17:56, Michael Catanzaro wrote:
> On Thu, 2015-07-02 at 16:38 +0200, Reindl Harald wrote:
>> this type of attitude?
>>
>> everybody who reads IT news over the past years about CA's issued
>> certificates even for Google knows that a CA signed certificate does
>> not
>> prove anything - the real problem is wehn this happens for Google
>> somebody takes notice and the press writes about it
>>
>> if the same happens for your domain nobody will recognize it
>
> The situation is going to be getting a lot better in the near future,
> though. We're getting to the point where we can start enforcing
> Google's certificate transparency: if your certificate isn't on the
> public audit list, we can simply reject it. That allows individual web
> sites to get an immediate heads-up whenever any fraudulent certificate
> is issued for their site. (And researchers will be looking after the
> most important sites, of course.) That's not going to fix TLS in
> itself, because most sites probably don't care, but if the site does
> care, it will be impossible to issue a browser-trusted certificate for
> the site without that site knowing. (At least, that's my understanding
> of the technology; I haven't researched it thoroughly.)
>
> You're right that OCSP is worthless. GNOME applications don't currently
> perform any certificate revocation; I'm not willing to implement OCSP
> unless Firefox is willing to enforce it, and they aren't. We should
> implement OneCRL, which solves the revocation problem for intermediate
> certificates, but there doesn't seem to be any reasonable solution for
> individual sites yet. OCSP must-staple seems promising.
>
> Of course, we can't have any of these nice features in GNOME unless
> somebody wants to pay for their implementation. (If so, get in touch
> please.)
For the record, and all this can be solved by DNSSEC + DANE. See RFC 6698.
--
Petr Spacek @ Red Hat
More information about the devel
mailing list