On Tue, Nov 29, 2022 at 04:04:58PM +0100, Bas Westerbaan wrote:
> > On the other hand, the actual certificates are not what one
> > would want to log anyway. Instead one would only want to log DS RRsets
> > or NODATA proofs from eTLD registries (gTLDs, ccTLDs and also various
> > 2LD, 3LD, ... suffixes operated by TLD registries).
>
> This is the case if you run your own authoritative DNS server. Most do not.
> So you'd want transparency on the TLSA records as well.
Your DNS operator is not some random 3rd party (like a public CA, with
which you have no business relationship, and which can unilaterally
issue certificates you never asked for). If you don't trust your DNS
operator, use them only as a secondary, and run a hidden master where
you do all the signing.
Logging all TLSA RRsets (and denial thereof!) is impractical. The
design does not have to perfect, it just has to be sufficiently useful
and realisable.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
