[Cryptography] New SSL/TLS certs to each live no longer than 47 days by 2029
Michael Kjörling
9bf3a7ef93bb at ewoof.net
Thu Apr 24 06:01:57 EDT 2025
On 23 Apr 2025 14:14 -0700, from andrew at joseon.com (Andrew Lee):
>> I still think that from our cryptographic viewpoint, there's still
>> the issue that this is comparing one PKI vs another, and there's a
>> whole lot of complication there, particularly when we think about
>> what we could add on to safeguard against an adversary who is an
>> owner of a TLD. What's the analogue of CAA, at least in part? CAA
>> props up weaknesses in the WebPKI via DNS (SEC or not), what would
>> be an analogue?
>
> An analogue to this is decentralizing trust on blockchain (the
> current best solution to ____ centralization).
All other issues with blockchain technology aside, in what way does
DNS CAA RRs (which restrict the set of CAs authorized to issue
certificates for a given host name) solve the same problem as using a
horrendously energy-intensive, storage- and bandwidth-hungry
technology such as proof of work blockchain to distribute trust
anchors for host names (and for DNSSEC no less)?
> I get the need for the CA back in yesteryear, but in 2025 having a
> third party single authoritative “validator" into a cryptographic
> peer to peer communication is wild.
There is no _single_ to the TLS PKI ecosystem. As I mentioned in an
earlier email in this thread to which you replied, there are even
multiple (though, admittedly, few) independently maintained lists of
root CAs.
--
Michael Kjörling
🔗 https://michael.kjorling.se
More information about the cryptography
mailing list