On 2015-05-28 09:33:35 +0200 (+0200), Roland Mas wrote: > I understand that behemoths such as Iceweasel may take some time > to move, but maybe Git could be made to use the TLSA records in > DNSSEC? Postfix does make use of them, and SSH uses their SSHFP > cousins, so it's not completely an abstract idea.
Pick your poison. I'm a fan of DANE (RFC 6698, DNSSEC+TLSA) for this as well, but there are plenty of people hanging their hopes on HPKP (RFC 7469, key pinning) along with CT (RFC 6962, certificate transparency). If you rely on DNSSEC then you're trusting the governments with control over jurisdictions where the DNS root keys are managed not to MitM you by fabricating signed resolution chains down to a TLSA record with the cert they want you to see. It all depends on which tinfoil hat you find most comfortable. -- Jeremy Stanley -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150528155421.go2...@yuggoth.org
