Re: Certificate renewal under TOFU?

Message headers

From: Gustaf Erikson <gerikson@gmial.com>

Subject: Re: Certificate renewal under TOFU?

Date: Fri, 24 Jun 2022 12:34:52 +0200

Message-ID: <877d568i43.fsf@news.gerikson.com>

Message content

Matthew Ernisse <matt@going-flying.com> writes:

> On Tue, 21 Jun 2022 09:44:53 +0200, tpt wrote:

>> On 18-Jun-22 20:24, danrl wrote:

>> Hypothetically speaking, what would be the arguments against using DANE

>> for Gemini? On first glance it seems like a perfect thing for the job.

>

> I don't seem to have the discussion in my mailing list archive but I seem

> to recall that there were those who thought the complexity was too high.

>

> Similar to just getting a real SSL certificate (which I'd argue is trival

> these days), DANE can be complex to setup if you don't already have DNSSEC

> signing going for your zone. I don't believe DNSSEC zone signing is even

> univerally supported by DNS hosts.

I think Let's Encrypt has placed getting a valid SSL cert into a local

minimum. A similar effort would have to be made to simplify DANE.

Speaking as a not-at-all inexperienced amateur sysadmin, DNS is Dark

Magic to me. DANE would have to be at least as turn-key simple as LE to

get me to use it.

/g.

--

A chain is only as strong as its weakest certificate.

Related

Parent:

Re: Certificate renewal under TOFU? (by Matthew Ernisse <matt@going-flying.com> on Thu, 23 Jun 2022 12:34:55 -0000 (UTC))

Start of thread:

Certificate renewal under TOFU? (by danrl <d@x.gl> on Mon, 30 May 2022 03:31:15 -0000 (UTC))

Children:

Re: Certificate renewal under TOFU? (by tpt <Rajoduo@yahoo.com> on Wed, 29 Jun 2022 18:10:02 +0200)