|
|
|
|
|
|
by bawolff
101 days ago
|
|
|
> DNSSEC could have been fixed, but Web PKI was "good enough" and the remaining problem wasn't sufficiently critical. People say this about every failed technology. If you have something that could have been fixed at any point in the last 30 years but somehow never has been, usually i suspect its not actually true. > Further, certificates are issued without strong owner authentication I dont think DNSSEC would fix this either and quite frankly i dont think its a super important problem to solve. |
|
|
1. Configure a CAA record that restricts issuance to two CAs that support locking down issuance to specific customer accounts. For example, Let's Encrypt supports RFC 8657; DigiCert has a proprietary mechanism. After this, you can only issue certificates when you properly authenticate against your selected CAs.
2. Use only ACME validation methods that rely on DNS. Avoiding HTTP-01, for example, ensures that a MITM can't intercept that unencrypted network traffic and approve certificates with key material under their control.
3. Deploy DNSSEC. Your DNS is now cryptographically validated, meaning your CAA records can't be spoofed and the validation methods from step 2 can't be spoofed either.