[Cryptography] New SSL/TLS certs to each live no longer than 47 days by 2029
Jon Callas
jon at callas.org
Wed Apr 23 16:50:35 EDT 2025
> On Apr 23, 2025, at 12:39, Michael Kjörling <9bf3a7ef93bb at ewoof.net> wrote:
>
> Another page which is relevant to the question would be <https://blog.apnic.net/2024/05/28/calling-time-on-dnssec/>.
>
Thanks! Wow, what a good essay. One where I would also say for once, read the comments.
There are a number of excellent points in there about subtle things in network architecture, like that TLS protects an application, DNSSEC an address, and these are not the same.
Also that there's a lot of missed opportunity, or 20/20 hindsight that had DNSSEC been done in the late 90s, and had supporting TLS be a goal, it might have happened. Personally, I think that's far more describing an alternate universe than a missed opportunity, but it's still an interesting thing to think about.
I still think that from our cryptographic viewpoint, there's still the issue that this is comparing one PKI vs another, and there's a whole lot of complication there, particularly when we think about what we could add on to safeguard against an adversary who is an owner of a TLD. What's the analogue of CAA, at least in part? CAA props up weaknesses in the WebPKI via DNS (SEC or not), what would be an analogue?
Jon
More information about the cryptography
mailing list