[AusNOG] Lets Encrypt

Matt Palmer mpalmer at hezmatt.org
Wed Nov 19 14:24:36 EST 2014 

On Wed, Nov 19, 2014 at 11:52:56AM +1100, Mark Andrews wrote:
> 
> In message <20141119001623.GT5614 at hezmatt.org>, Matt Palmer writes:
> > On Wed, Nov 19, 2014 at 11:01:30AM +1100, Mark Andrews wrote:
> > > 
> > > In message <20141118234925.GS5614 at hezmatt.org>, Matt Palmer writes:
> > > > On Wed, Nov 19, 2014 at 09:34:04AM +1000, Ernie wrote:
> > > > > https://letsencrypt.org/
> > > > > 
> > > > > My question is, will this screw up companies like Verisign/Thawte 
> > sales?
> > > > 
> > > > Not much, if any.  People who want cheap/free certs already, for the 
> > most
> > > > part, know where to get them from.  The more "premium" brands make 
> > their
> > > > money via the brand, offering insurance (as much of a crock as it is),
> > > > higher-validation (OV/EV) certificates, and other signalling effects 
> > that
> > > > are unrelated to the *technical* product being offered.
> > > > 
> > > > That being said, Let's Encrypt is a *great* initiative, and I'm 100% 
> > behind
> > > > it.  Making certificate issuance easier (to the point of being 
> > entirely
> > > > automated) via the ACME protocol will massively reduce the barrier to 
> > TLS
> > > > deployment, which can only serve to benefit the confidentiality of 
> > traffic
> > > > on the Internet.
> > > 
> > > Or we could just deploy DANE and not require a CA to issue CERTs.
> > 
> > That'll always be the dream... given how much of a shitfight it is to get
> > IPv6 deployed, when there's a real Oh Shit moment coming for IPv4, I have 
> > my
> > doubts that DNSSEC is ever going to really get the widespread deployment
> > needed to make DANE practical.  Without it being something that servers 
> > can
> > roll out, clients won't support it (for example, the Chrome people aren't
> > fans, for various understandable reasons), and so it goes nowhere.
> 
> DNSSEC is widely deployed at the root/tld level.  There are 749
> zones with 557 secure delegations from the root zone.  569 TLD zones
> have DNSKEY records.

That's not particularly helpful, though, since I rarely visit root/tld
webservers, nor send them e-mail.

> Chrome is one web browser.

With over 10% market share.  The tickets for built-in DANE support in
Firefox aren't exactly seeing a lot of love either, though.

>  There are plugins for DANE suppport for many browsers today.

Plugins -- not core to the browser.  So how do I avoid showing the "OMFG not
trusted!" page to the 99%+ of users who don't have the plugin installed?

> The only thing really stopping DANE deployment is nay sayers.

That's rather like saying that the only thing stopping FTL travel is the
laws of physics.  It's a truism, and not helpful to point out.  Rather more
useful would be to state *why* people are "saying nay" (apart from a
prediliction for talking like a horse, perhaps) so that those problems can
be worked on.

- Matt

-- 
[On LDAP] "Lightweight my ass.  The fact that X.509 has the weight of an
18-wheel rig doesn't make a minivan something you shove in your backpack."
		-- Zed Pobre, ASR

More information about the AusNOG mailing list