[AusNOG] Lets Encrypt

Matt Palmer mpalmer at hezmatt.org
Wed Nov 19 16:56:56 EST 2014


On Wed, Nov 19, 2014 at 03:42:27PM +1100, Mark Andrews wrote:
> In message <20141119032436.GU5614 at hezmatt.org>, Matt Palmer writes:
> > On Wed, Nov 19, 2014 at 11:52:56AM +1100, Mark Andrews wrote:
> > > The only thing really stopping DANE deployment is nay sayers.
> > 
> > That's rather like saying that the only thing stopping FTL travel is the
> > laws of physics.  It's a truism, and not helpful to point out.  Rather more
> > useful would be to state *why* people are "saying nay" (apart from a
> > prediliction for talking like a horse, perhaps) so that those problems can
> > be worked on.
> 
> Like the nay sayers that said the root would never be signed, or
> the nay sayer that said most tld operators won't deploy, or the nay
> sayers that said that nobody will verify, or the nay sayers that
> said registrars won't support DNSSEC, or ...

Sure, but how long was it between it was *possible* for these things to
happen, and when they *did* happen?  Quite a considerable period.

> Guess what those nay sayers were proven wrong.  It's only a matter
> of time to when DANE checking is ubiquitious.  It will end up being
> something on by default.

And in the meantime, what does everyone do?  Just wait patiently until
enough of the world pulls their collective fingers out and deploy DNSSEC and
TLSA records universally?  Or perhaps deploy improved methods of deploying
CA-validated certs in the meantime?

You kicked off this sub-thread with a comment that I took to mean that Let's
Encrypt was of absolutely no use, because everyone should just deploy DANE
right now.  Except that you're ignoring the fact that I can't put TLSA
records on any of my .au domains, and 99% of visitors to sites using TLSA
records will get a dirty big "OMFG untrusted!" interstitial.  So I'm arguing
that as great as DNSSEC and DANE *are* (and they are, undeniably, Good
Things), that Let's Encrypt is *also* a good thing for the Internet as it
stands today.  The Internet of "Wouldn't It Be Great If" doesn't need it,
but then I don't have a connection to that.

- Matt



More information about the AusNOG mailing list