[Top] [All Lists]

Re: [ietf-smtp] [OT] (signed TLDs)

2019-10-15 11:52:43
I wish I understood more of this discussion and "basic problem," if any, but in years past, we use to share common "Network" files using dialup, ftp, web, etc. We sort of do it now with the CA-BUNDLE.TXT file for the Intermediate CAs certs. When I build new OpenSSL images, the wcSSL package distribution includes a new ca-bundle.txt file with new CA certs merged. The main bundle is from:

In the last update, I merged a bunch of them:

##  07/31/18 01:56 pm
##  - Using MergeCACerts.cmd
## - merge newbundle\ca-bundle-20180626.txt
##  - merge newbundle\AddTrustExternalCARoot.pem   Comodo
##  - merge newbundle\COMODORSAAddTrustCA.pem Comodo
## - merge newbundle\COMODORSAOrganizationValidationSecureServerCA.pem Comodo
##  - merge newbundle\chain.pem  Let's Encrypt
##  - merge newbundle\gd_bundle-g2-g1.crt  GoDaddy
##  - merge newbundle\gd_bundle.crt GoDaddy

But it just dawn on me, should a site like the above domain be trusted as a TTP (Trusted Third Party) CA? The bundle can contain TTP "posers." For that matter, why should the user trust any CA anyway?


On 10/15/2019 7:33 AM, Tony Finch wrote:
John R Levine <johnl(_at_)taugh(_dot_)com> wrote:
On Mon, 14 Oct 2019, Tony Finch wrote:

RFC 7344 did not include bootstrapping, but that was added by RFC 8078.
Sadly it's more like a set of hints rather than an actual protocol...

It's just hand waving.  The guys who wrote it know that, but the problem is
that there was no consensus on how to bootstrap.  It's a hard problem since
it's sort of inherent that there's nothing other than a DNSSEC signature that
reliably authenticates a DNSSEC record.

I think if we get more registries copying .cz and/or .ch then some
consensus may emerge but there doesn't seem to be much movement in this


ietf-smtp mailing list