On Sun, Mar 08, 2020 at 07:42:57AM -0400, Phil Pennock wrote:
On 2020-03-07 at 04:29 -0500, Viktor Dukhovni wrote:
Here opinions differ. Trusting a CA that validates domain control as
weakly as Let's Encrypt would not be my choice. But with half the
world trusting Let's Encrypt's "proofs" of domain control, you can
perhaps be comfortable in knowing that you're not alone...
If that's the concern, then tell Let's Encrypt which accounts are
allowed to issue certificates for your domain.
Eg, in the zonefile for `spodhuis.org` I have:
@ CAA 0 issue "globnix.net"
@ CAA 0 issue "letsencrypt.org\;
accounturi=https://acme-v01.api.letsencrypt.org/acme/reg/1134193";
Which then of course relies on their DNSSEC validation working properly,
and (recent case in point) their implementation of CAA records working
properly, ... I just avoid them entirely:
dukhovni.org. IN CAA 0 issue dukhovni.org
_25._tcp.smtp.dukhovni.org. IN TLSA 3 1 1
5e078b3160569f165a69eb860395bbbdc7576c3603c3452b07139c276b26d01c
As I said, opinions differ. :-)
--
Viktor.
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp