Bill Woodcock <wo...@pch.net> writes: >> Does this mean that DigiCert is the only alternative? > > I assume not, but we’d already used them for other things, and they > didn’t have a problem doing it, so we didn’t shop any further.
Makes sense. That's how I started as well. But we are using Buypass, and for some unknown reason they did have a problem doing it. >> And do they really have this offer for ordinary users, or is this also some >> special >> arrangement for big players only? > > No, we didn’t have to do anything special, to the best of my knowledge. Good to know. Thanks >> That does make me wonder how they verify that I'm the rightful owner of >> "sites, IP addresses, common names, etc.". In particular, "etc" :-) >> Or you could ask yourself if you trust a CA with such an offer... > > Yep. DANE is the correct answer. CAs are not. But that’s been true > for a very long time, and people are still trying to pretend that CAs > know what’s what. Agree 100%. Now I'm going to ask another stupid question: How would DANE work for DoT/DoH? Having TLSA records in in-addr.arpa and ip6.arpa? Bjørn