[Cryptography] New SSL/TLS certs to each live no longer than 47 days by 2029
Shreyas Zare
shreyas at technitium.com
Thu Apr 24 02:53:50 EDT 2025
On 4/23/2025 6:25 PM, Salz, Rich via cryptography wrote:
>
> * All the CAbal exists only because of browsers refusing to do DNSSEC,
> even now they have a clean and secure path via DoH anyways....
>
> If some random client Joe wants to securely browse some random site
> foo.blog, how many parties need to be involved? With TLS, I need the
> browser and its trust store, Joe, and the owner of foo.blog talking to
> a CA. Let’s pick a more complicated example, www.kingston.ci.ma.us.
> The number of entities is still the same. What’s it like for DNSSEC?
> Honestly curious.
>
With DNSSEC+DANE (if browsers add DANE support), the website owner can
just use a self-signed TLS cert and create a TLSA record (DANE-EE mode)
for the domain name which contains the hash of the self-signed cert.
That's it.
Web browser just has to fetch the TLSA record (with DNSSEC validation),
and then match the hash with the cert that the server sends during the
TLS handshake.
Regards,
*Shreyas Zare*
Technitium <https://technitium.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20250424/8a5e7e43/attachment.htm>
More information about the cryptography
mailing list