[Cryptech Tech] Some problems with the repo access
Rob Austein
sra at hactrn.net
Fri Feb 14 13:34:18 UTC 2014
At Fri, 14 Feb 2014 17:03:33 +0900, Randy Bush wrote:
>
> > We should at least do TLSA (3 1 1) for the website:
> >
> > _443._tcp.cryptech.is. IN TLSA 3 1 1 b348d66d3e8b24437a9857bb3210ffd503f7e3f97a481d97bc07306870aa8873
>
> agree.
Sure. Well, I might use one of the forms that covers the CA rather
than just the EE, but I don't care enough to argue, and I already know
that Randy disagrees with me on this, so it would be an argument.
So, sure, I'll go with what Jakob says here (and I've verified that
the digest matches the EE certificate, just for drill).
> would if i could
>
> zone "cryptech.is" { type slave; file "secondary/is.cryptech";
> masters { 193.10.5.91; 193.11.20.167; }; };
>
> please tell me these do not violate 2182
Maybe Jakob understands what Randy is asking here, but I don't.
> > and enable strict transport security so that people will use HTTPS forever.
>
> i have no problem with that
I'm guessing that I should wait for the TLSA before enabling strict
transport security, but am willing to be persuaded otherwise if folks
think I'm wrong about this.
More information about the Tech
mailing list