[AusNOG] Lets Encrypt

Matt Palmer mpalmer at hezmatt.org
Wed Nov 19 11:16:23 EST 2014


On Wed, Nov 19, 2014 at 11:01:30AM +1100, Mark Andrews wrote:
> 
> In message <20141118234925.GS5614 at hezmatt.org>, Matt Palmer writes:
> > On Wed, Nov 19, 2014 at 09:34:04AM +1000, Ernie wrote:
> > > https://letsencrypt.org/
> > > 
> > > My question is, will this screw up companies like Verisign/Thawte sales?
> > 
> > Not much, if any.  People who want cheap/free certs already, for the most
> > part, know where to get them from.  The more "premium" brands make their
> > money via the brand, offering insurance (as much of a crock as it is),
> > higher-validation (OV/EV) certificates, and other signalling effects that
> > are unrelated to the *technical* product being offered.
> > 
> > That being said, Let's Encrypt is a *great* initiative, and I'm 100% behind
> > it.  Making certificate issuance easier (to the point of being entirely
> > automated) via the ACME protocol will massively reduce the barrier to TLS
> > deployment, which can only serve to benefit the confidentiality of traffic
> > on the Internet.
> 
> Or we could just deploy DANE and not require a CA to issue CERTs.

That'll always be the dream... given how much of a shitfight it is to get
IPv6 deployed, when there's a real Oh Shit moment coming for IPv4, I have my
doubts that DNSSEC is ever going to really get the widespread deployment
needed to make DANE practical.  Without it being something that servers can
roll out, clients won't support it (for example, the Chrome people aren't
fans, for various understandable reasons), and so it goes nowhere.

Don't get me wrong -- I think DANE's great, and all my domains are
DNSSEC-enabled, so I'm drinking the koolaid, but at the same time the
realist in me says that letsencrypt.org is going to do a lot more for
Internet security than DANE will, in the next... oooh, probably decade or
so.

> According to http://www.auda.org.au/industry-information/au-domains/dnssec/
> the DS records for AU should have been added to the root zone back on 28th
> of October.

"Should" being the operative word there:

    http://dnssec-debugger.verisignlabs.com/com.au

- Matt

-- 
You know you have a distributed system when the crash of a computer you’ve
never heard of stops you from getting any work done.
		-- Leslie Lamport "Security Engineering: A Guide to Building
		   Dependable Distributed Systems"



More information about the AusNOG mailing list