1. 7
  1.  

  2. 4

    Wouldn’t DNSSEC with DANE solve the problem of needing a third-party certificate authority? I think for the overwhelming majority of use cases it might. So in a world where certs were verified through DANE, a tool like this might be even more useful.

    That reminds me, I need to set up DNSSEC on my own domains.

    It’s worth noting that BearSSL doesn’t support TLS 1.3 yet. I ended up using GNUTLS to take this script for a spin; it worked beautifully.

    1. 1

      DANE would definitely solve this issue but it’s barely deployed.

      1. 1

        Barely deployed client-side too, or just server-side? I’d start using it server-side today if I knew that the overwhelming majority of clients would just support it out of the box.

        1. 1

          As far as I know Openssl has had support for DANE for a couple of years now so it should work on new clients, but the general support in client libraries is still low, and browsers barely support it. Also most off-the-shelf registrars don’t all allow adding TLSA entries in the zone nor even support DNSSEC to begin with.

    2. 1

      This app is meant to demonstrate an imagined world where we don’t care about hierarchical certificate authorities, or going through a three-step process to request and then confirm a request for a certificate to ourselves from ourselves, when that certificate is little more than a gold filigree doily wrapped around a public key.

      It could be good for internal certificate trees that don’t rely on verifying hosts, or verify them through other means. However, in public internet scenarios certificates are meaningless if you don’t have an authority.

      NB: Why is openssl command line harder than this?

      1. 1

        NB: Why is openssl command line harder than this?

        In my experience, nobody uses the openssl CLI without a cheat sheet holding the half dozen or so commands they use. My idealized CLI tool would have good defaults so you rarely need to use options, and if it had a lot of options, the --help page would show the most common usage as examples at the top.