On Mon, 2024-08-12 at 17:42 -0400, Andrew Newton (andy) wrote: > > On 8/12/24 15:20, Nick Lockheart wrote: > > The problem with TLS, however, is that all major browsers will > > block > > your website unless you have a certificate signed by one of a small > > handful of "Chosen Few" Certificate Authorities that are hard-coded > > into the browser. > > > Hi Nick, > > Does DANE and TLSA solve your problem? > > It doesn't appear that the major browsers directly support it, but > experiments with it date back over 10 years [1] [2]. > > Browsing the DNS related RFCs [3], I don't see an equivalent to RFC > 7672 > so maybe that's a contribution the IETF could use. > > I hope you find any of this helpful. > > -andy > > Thank you Andy, I have read through the linked article about SMTP security. I think the issue with DANE (for websites) is that it relies on DNSSEC, which unfortunately, turns into a debate over "who gets to own the keys to the entire Internet". I am certainly interested in brainstorming ways to validate a TLS certificate *without* the need for DNSSEC. I think this could actually be done with some non-profit organizations, and could provide at least the same level of security as the Domain Validation checks done by organizations like "Let's Encrypt", but without needing a Certificate Authority that can sign on behalf of *any* site, and without sites needing a signature from a small list of Certificate Authorities. I could write up more details if people are interested. I wanted to make sure this was the right place to discuss it first, though. Thanks, Nick
