Project

General

Profile

PKI » History » Version 3

Marc Dequènes, 2020-04-06 14:42

1 1 Marc Dequènes
h1. PKI
2
3
h2. Self-Signed CAs
4
5 3 Marc Dequènes
h3. Current Status
6 1 Marc Dequènes
7 3 Marc Dequènes
These self-signed Cas are in use in DC's infrastruture:
8
* _duckcorp_ : the main CA, we plan to continue using it for non-user-facing services
9
* _duckcorp-backup_ : used for our backup software to secure TLS communications
10
* _duckcorp-monitoring_ : used for our monitoring software to secure TLS communications
11 1 Marc Dequènes
12 3 Marc Dequènes
The _duckcorp-backup_ and _duckcorp-monitoring_ CAs could have been sub-CAs but our tool does not support it.
13 1 Marc Dequènes
14 3 Marc Dequènes
TODO: more technical details
15
16 1 Marc Dequènes
h2. Let's Encrypt
17
18 3 Marc Dequènes
h3. Current Status
19 1 Marc Dequènes
20 3 Marc Dequènes
All user facing services are using Let's Encrypt or soon are (#676).
21
22
TODO: more technical details
23
24 1 Marc Dequènes
h2. DANE
25
26 3 Marc Dequènes
"DANE":https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities is a security protocol used to reinforce TLS certificate validation by publishing certain information in the DNS. It requires your DNS zones to be secured using "DNSSEC":https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions.
27 1 Marc Dequènes
28 3 Marc Dequènes
h3. Current Status
29
30
Our zones are DNSSEC secured and we publish DANE-EE TLSA DNS records for the leaf certificates.
31
32
Services supporting DANE (or WIP):
33
* Postfix
34
* Web vhosts do not have a TLSA record yet, but this is coming (#675).
35
36
h3. Checking DANE
37
38
The "danetls":https://github.com/shuque/danetls tool is not packaged but there is a web service called "danecheck":https://www.huque.com/bin/danecheck by the same author.
39
40
h3. DANE adoption
41
42
These are just notes to check on DANE adoption in various client software.
43
44
* HTTPS: "plugins for majors browsers were developed and abandoned":https://www.dnssec-validator.cz/ because necessary API support in the browsers vanished and there is no replacement
45
* SMTP: seems to have gained traction, suggested by the various checkers, Postfix supports it and we support it (see [[Mail]])
46
* IMAP/POP3: "Thunderbird integration was refused":https://bugzilla.mozilla.org/show_bug.cgi?id=1479423 because it needs to be integrated in Firefox core first, but the "Firefox integration":https://bugzilla.mozilla.org/show_bug.cgi?id=672600 does not seem to go anywhere
47
* IRC: "Weechat integration":https://github.com/weechat/weechat/pull/121 is not making much progress despite a patch being available
48
* XMPP-c2s: ???
49
* XMPP-s2s: Prodosy has an "experimental module":https://modules.prosody.im/mod_s2s_auth_dane.html but it is unmaintained and supposed to crash sometimes (according to the known issues)