Tag Archives: caa

Let's Encrypt 的 Embed SCT 支援

翻到 Let's Encrypt 的 Upcoming Features 時看到: Embed SCT receipts in certificates ETA: February, 2018 對 Embed SCT 不熟,所以查了查這個功能。 這指的是在簽發 SSL certficiate 後,把資料丟給 Certificate Transparency (CT) 伺服器後,伺服器會提供 signed certificate timestamp (SCT);而這個資料放到 SSL certificate 內叫做 Embed SCT:(出自 CT 的 FAQ) What … Continue reading

Posted in Browser, Computer, DNS, GoogleChrome, Murmuring, Network, Privacy, Security, Service, Software, WWW|Tagged , , , , , , , , , , , , , , , , , , , |Leave a comment

Chromium 內提案移除 HPKP (HTTP Public Key Pinning)

Twitter 上看到這則 tweet,提到要移除 HPKP (HTTP Public Key Pinning): Intent To Deprecate And Remove: Public Key Pinning (in Chromium) https://t.co/agS3fll7eR — Adam Langley (@agl__) October 27, 2017 blink-dev 上的討論可以參考「Intent To Deprecate And Remove: Public Key Pinning」(就是上面那個連結,只是拉出來)。 這個提案大概可以推敲出理由... 目前的作法必須寫進瀏覽器內,這樣明顯會有 scale 問題,而且這個作法本身就很 workaround,只能保護所謂「高價值」的 … Continue reading

Posted in Browser, Computer, DNS, GoogleChrome, Network, Security, Software, WWW|Tagged , , , , , , , , , , , , , , , , , , , |2 Comments

Amazon Route 53 支援 CAA record 了

Amazon Route 53 宣佈支援 CAA record 了:「Announcement: Announcement: Amazon Route 53 now supports CAA records」、「Amazon Route 53 now supports CAA records」。 這是一個被動性的 workaround,要求 CA 本身要支援 DNS CAA,所以他沒辦法防止 CA 本身作惡誤簽,但因為負作用與技術債的可能性不高,在 CA/Browser Forum 上被通過強制要求支援了。(參考「未來 CA 將會強制要求檢查 DNS CAA record」) Gandi 的 DNS … Continue reading

Posted in AWS, Cloud, Computer, DNS, Murmuring, Network, Security, Service|Tagged , , , , , , , , , , |Leave a comment

Amazon Route 53 將會加緊支援 DNS CAA

看到 Amazon Route 53 要支援 DNS CAA 的消息:「Announcement: Announcement: CAA Record Support Coming Soon」。 裡面有提到 CA/Browser Forum 的決議,要求各瀏覽器支援 DNS CAA: On March 8, 2017, the Certification Authority and Browser Forum (CA/Browser Forum) mandated that by September 8, 2017, CA’s are … Continue reading

Posted in AWS, Cloud, Computer, DNS, Murmuring, Network, Security|Tagged , , , , , , , , , , , , , |Leave a comment

未來 CA 將會強制要求檢查 DNS CAA record

CA/Browser 通過提案,要求以後 CA 單位都要檢查 DNS CAA record 才能發放憑證 (RFC 6844 的「DNS Certification Authority Authorization (CAA) Resource Record」):「Ballot 187 - Make CAA Checking Mandatory」。 Certificate Authority Authorization (CAA) is a DNS Resource Record defined in RFC 6844 – https://datatracker.ietf.org/doc/rfc6844/ , published … Continue reading

Posted in Computer, DNS, Murmuring, Network, Security, WWW|Tagged , , , , , , , , , , , |1 Comment