I wish I understood more of this discussion and "basic problem," if
any, but in years past, we use to share common "Network" files using
dialup, ftp, web, etc. We sort of do it now with the CA-BUNDLE.TXT
file for the Intermediate CAs certs. When I build new OpenSSL images,
the wcSSL package distribution includes a new ca-bundle.txt file with
new CA certs merged. The main bundle is from:
https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt
In the last update, I merged a bunch of them:
## 07/31/18 01:56 pm
## - Using MergeCACerts.cmd
## - merge newbundle\ca-bundle-20180626.txt
https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt
## - merge newbundle\AddTrustExternalCARoot.pem Comodo
## - merge newbundle\COMODORSAAddTrustCA.pem Comodo
## - merge
newbundle\COMODORSAOrganizationValidationSecureServerCA.pem Comodo
## - merge newbundle\chain.pem Let's Encrypt
## - merge newbundle\gd_bundle-g2-g1.crt GoDaddy
## - merge newbundle\gd_bundle.crt GoDaddy
But it just dawn on me, should a site like the above domain be trusted
as a TTP (Trusted Third Party) CA? The bundle can contain TTP
"posers." For that matter, why should the user trust any CA anyway?
--
HLS
On 10/15/2019 7:33 AM, Tony Finch wrote:
John R Levine <johnl(_at_)taugh(_dot_)com> wrote:
On Mon, 14 Oct 2019, Tony Finch wrote:
RFC 7344 did not include bootstrapping, but that was added by RFC 8078.
Sadly it's more like a set of hints rather than an actual protocol...
It's just hand waving. The guys who wrote it know that, but the problem is
that there was no consensus on how to bootstrap. It's a hard problem since
it's sort of inherent that there's nothing other than a DNSSEC signature that
reliably authenticates a DNSSEC record.
I think if we get more registries copying .cz and/or .ch then some
consensus may emerge but there doesn't seem to be much movement in this
area...
Tony.
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp