Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
ioc.exchange is one of the many independent Mastodon servers you can use to participate in the fediverse.
INDICATORS OF COMPROMISE (IOC) InfoSec Community within the Fediverse. Newbies, experts, gurus - Everyone is Welcome! Instance is supposed to be fast and secure.

Administered by:

Server stats:

1.3K
active users

ioc.exchange: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

Dennis Jackson

@matt

Just following up on your tweet (twitter.com/TheBlueMatt/status). I appreciate the passion and wanted to share a bit more of my opinion as an individual.

From where I sit, I'm much more positive about the impact of systems like Certificate Transparency where we can ensure that any CA MiTM is quickly detected, rather than adding an independent root of trust with DNSSEC.

As far as I know, DNSSEC signing keys are controlled by the TLD operators and its not like websites can migrate to a different TLD without losing their identity / reputation. Also, there's no transparency mechanism for what the TLD operators sign. They could easily swap out your HTTPS RR record. So building systems that place greater reliance on DNSSEC feels like an anti-pattern to me.

TwitterMatt Corallo on Twitter“@Dennis__Jackson apologies if I’m pushing hard, but I admit I’m excited - if we can find reasonable solutions to slip in the option for TLS servers to opt into security beyond *only* CAs, that seems like something more than worth fighting for, and a *huge* win!”
Apr 06, 2023, 04:13 PM·Public·Web
0boosts·2favorites
ExploreLive feeds
About