-- Leo's gemini proxy
-- Connecting to gemini.bunburya.eu:1965...
-- Connected
-- Sending request
-- Meta line: 20 text/gemini; lang=en-IE
From: Gustaf Erikson <gerikson@gmial.com>
Subject: Re: Certificate renewal under TOFU?
Date: Fri, 24 Jun 2022 12:34:52 +0200
Message-ID: <877d568i43.fsf@news.gerikson.com>
Matthew Ernisse <matt@going-flying.com> writes:
> On Tue, 21 Jun 2022 09:44:53 +0200, tpt wrote:
>> On 18-Jun-22 20:24, danrl wrote:
>> Hypothetically speaking, what would be the arguments against using DANE
>> for Gemini? On first glance it seems like a perfect thing for the job.
>
> I don't seem to have the discussion in my mailing list archive but I seem
> to recall that there were those who thought the complexity was too high.
>
> Similar to just getting a real SSL certificate (which I'd argue is trival
> these days), DANE can be complex to setup if you don't already have DNSSEC
> signing going for your zone. I don't believe DNSSEC zone signing is even
> univerally supported by DNS hosts.
I think Let's Encrypt has placed getting a valid SSL cert into a local
minimum. A similar effort would have to be made to simplify DANE.
Speaking as a not-at-all inexperienced amateur sysadmin, DNS is Dark
Magic to me. DANE would have to be at least as turn-key simple as LE to
get me to use it.
/g.
--
A chain is only as strong as its weakest certificate.
Parent:
Start of thread:
Children:
-- Response ended
-- Page fetched on Fri Jun 14 14:40:26 2024