💾 Archived View for gemini.bunburya.eu › newsgroups › gemini › messages › 877d568i43.fsf@news.geriks… captured on 2024-07-09 at 00:10:17. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2022-07-16)

-=-=-=-=-=-=-

Re: Certificate renewal under TOFU?

Message headers

From: Gustaf Erikson <gerikson@gmial.com>

Subject: Re: Certificate renewal under TOFU?

Date: Fri, 24 Jun 2022 12:34:52 +0200

Message-ID: <877d568i43.fsf@news.gerikson.com>

Message content

Matthew Ernisse <matt@going-flying.com> writes:

On Tue, 21 Jun 2022 09:44:53 +0200, tpt wrote:
> On 18-Jun-22 20:24, danrl wrote:
> Hypothetically speaking, what would be the arguments against using DANE
> for Gemini? On first glance it seems like a perfect thing for the job.
I don't seem to have the discussion in my mailing list archive but I seem
to recall that there were those who thought the complexity was too high.
Similar to just getting a real SSL certificate (which I'd argue is trival
these days), DANE can be complex to setup if you don't already have DNSSEC
signing going for your zone. I don't believe DNSSEC zone signing is even
univerally supported by DNS hosts.

I think Let's Encrypt has placed getting a valid SSL cert into a local

minimum. A similar effort would have to be made to simplify DANE.

Speaking as a not-at-all inexperienced amateur sysadmin, DNS is Dark

Magic to me. DANE would have to be at least as turn-key simple as LE to

get me to use it.

/g.

--

A chain is only as strong as its weakest certificate.

Related

Parent:

Re: Certificate renewal under TOFU? (by Matthew Ernisse <matt@going-flying.com> on Thu, 23 Jun 2022 12:34:55 -0000 (UTC))

Start of thread:

Certificate renewal under TOFU? (by danrl <d@x.gl> on Mon, 30 May 2022 03:31:15 -0000 (UTC))

Children:

Re: Certificate renewal under TOFU? (by tpt <Rajoduo@yahoo.com> on Wed, 29 Jun 2022 18:10:02 +0200)