30 Aug
2019
30 Aug
'19
4:36 p.m.
Hi,
Hold your horses, self-signed cert with proper TLSA records in DNSSEC-signed domain is even better, see https://tools.ietf.org/html/rfc6698 .
Besides other things correctly configured TLSA record + client side validation prevents rogue or compromised CAs from issuing "fake but accepted as valid" certs.
So I would say RIPE NCC is attempting to do security it in the most modern way available.
Yep. I wish the use of TLSA was more wide spread. It doesn't require third parties to "certify" who is who. Cheers, Sander