[Top] [All Lists]

Re: [ietf-smtp] DANE / Fwd: ACTION REQUIRED: Renew these Let's Encrypt certificates by March 4

2020-03-08 08:42:46
On Sun, Mar 08, 2020 at 07:42:57AM -0400, Phil Pennock wrote:

On 2020-03-07 at 04:29 -0500, Viktor Dukhovni wrote:

Here opinions differ.  Trusting a CA that validates domain control as
weakly as Let's Encrypt would not be my choice.  But with half the
world trusting Let's Encrypt's "proofs" of domain control, you can
perhaps be comfortable in knowing that you're not alone...

If that's the concern, then tell Let's Encrypt which accounts are
allowed to issue certificates for your domain.

Eg, in the zonefile for `` I have:

@  CAA  0  issue ""
@  CAA  0  issue "\; 

Which then of course relies on their DNSSEC validation working properly,
and (recent case in point) their implementation of CAA records working
properly, ...  I just avoid them entirely: IN CAA 0 issue IN TLSA 3 1 1 

As I said, opinions differ. :-)


ietf-smtp mailing list