On 02.12.20 08:44, Ian Zimmerman wrote:
> Sorry, I feel contrarian today (and many other days too). So there:
>
> http://michael.orlitzky.com/articles/lets_not_encrypt.xhtml
So, then use DANE.
The critics on the CA design I share basically, but his comparison with
tofu of SSH misses the whole point of authentication of the server's
identity (...and comparing fingerprints just doesn't scale – at least he
could have mentioned SSHFP to get somewhere close).
Don't you guys run Linux? So the Linux Foundation and EFF is your
competitor? Na. And the cleartext communication with LE is signed btw.,
there is the DNS-01 challenge method, which can be secured by DNSSEC
asf.
The only option in his picture of the web is to use plaintext http
or https that does not make a distinction between self-signed and issued
certs. Is that any better? Does this guy understand what he writes
about? I get the impression this is mostly publicly shown narcissism and
false conclusions – me too, I feel contrarian.
Adrian.