On 8/12/24 15:20, Nick Lockheart wrote:
The problem with TLS, however, is that all major browsers will block
your website unless you have a certificate signed by one of a small
handful of "Chosen Few" Certificate Authorities that are hard-coded
into the browser.
Hi Nick,
Does DANE and TLSA solve your problem?
It doesn't appear that the major browsers directly support it, but
experiments with it date back over 10 years [1] [2].
Browsing the DNS related RFCs [3], I don't see an equivalent to RFC 7672
so maybe that's a contribution the IETF could use.
I hope you find any of this helpful.
-andy
[1]
https://www.internetsociety.org/blog/2014/02/weekend-project-install-the-dnssectlsa-validator-for-chrome-firefox-more/
[2] https://github.com/buffrr/letsdane
[3] https://rfc-annotations.research.icann.org/dns-index.html