💾 Archived View for gemini.bunburya.eu › newsgroups › gemini › messages › 877d568i43.fsf@news.geriks… captured on 2023-06-14 at 14:28:20. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2022-07-16)
-=-=-=-=-=-=-
From: Gustaf Erikson <gerikson@gmial.com>
Subject: Re: Certificate renewal under TOFU?
Date: Fri, 24 Jun 2022 12:34:52 +0200
Message-ID: <877d568i43.fsf@news.gerikson.com>
Matthew Ernisse <matt@going-flying.com> writes:
On Tue, 21 Jun 2022 09:44:53 +0200, tpt wrote:
> On 18-Jun-22 20:24, danrl wrote:
> Hypothetically speaking, what would be the arguments against using DANE
> for Gemini? On first glance it seems like a perfect thing for the job.
I don't seem to have the discussion in my mailing list archive but I seem
to recall that there were those who thought the complexity was too high.
Similar to just getting a real SSL certificate (which I'd argue is trival
these days), DANE can be complex to setup if you don't already have DNSSEC
signing going for your zone. I don't believe DNSSEC zone signing is even
univerally supported by DNS hosts.
I think Let's Encrypt has placed getting a valid SSL cert into a local
minimum. A similar effort would have to be made to simplify DANE.
Speaking as a not-at-all inexperienced amateur sysadmin, DNS is Dark
Magic to me. DANE would have to be at least as turn-key simple as LE to
get me to use it.
/g.
--
A chain is only as strong as its weakest certificate.
Parent:
Start of thread:
Certificate renewal under TOFU? (by danrl <d@x.gl> on Mon, 30 May 2022 03:31:15 -0000 (UTC))
Children:
Re: Certificate renewal under TOFU? (by tpt <Rajoduo@yahoo.com> on Wed, 29 Jun 2022 18:10:02 +0200)