[Cryptech Tech] Some problems with the repo access
Jakob Schlyter
jakob at kirei.se
Sat Feb 15 08:47:37 UTC 2014
On 15 feb 2014, at 02:07, Rob Austein <sra at hactrn.net> wrote:
> Current answer is a quick Makefile hack, one could do better in a real
> programming language, or maybe Jakob has a better tool:
>
> hactrn.net/tlsa.zone: /usr/local/etc/certs/hactrn-cacert.pem
> ( echo -n "ca.hactrn.net. TLSA 2 0 0 ("; \
> openssl x509 -in $< -outform DER | \
> hexdump -v -e '"\n\t\t" 40/1 "%02x"' ; \
> echo " )" ) >$@
http://people.redhat.com/pwouters/hash-slinger/
https://github.com/pieterlexis/swede
jakob
ps. I recommend TLSA 3 1 1, publishing a SHA-256 of the public key of the EE cert. Yes, you need to update the DNS if/when you roll your keys, but then you can use the same mechanisms independent of your CA and certificate renwewal. And your are independent of the full PKIX path validation.
More information about the Tech
mailing list