PKI » History » Revision 3
Revision 2 (Marc Dequènes, 2019-10-01 21:42) → Revision 3/7 (Marc Dequènes, 2020-04-06 14:42)
h1. PKI h2. Self-Signed CAs h3. Current Status These self-signed Cas are in The "DuckCorp CA":https://ca.duckcorp.org/ was created when usage of HTTPS was not very common and certificates very expensive. Time proved we cannot trust the top CAs and their "broken security model":https://en.wikipedia.org/wiki/Certificate_authority#CA_compromise thus we continued to use in DC's infrastruture: our own CA for quite some time. * _duckcorp_ : the main CA, Nowadays it is no more viable to operate a self-signed CAs as all softwares and providers rejects them thus we're now using Let's "Encrypt certificates":https://letsencrypt.org/. To counteract this loss we use another system (DANE), see below. We plan to continue using it this CA for non-user-facing services * _duckcorp-backup_ : used services. Aside from the main CA we also have two CAs for our backup software to secure TLS communications * _duckcorp-monitoring_ : used for our monitoring software to secure TLS communications The _duckcorp-backup_ and _duckcorp-monitoring_ CAs backup services. They could have been sub-CAs but our tool does not support it. TODO: more technical details h2. Let's Encrypt h3. Current Status All As said above all user facing services are using Let's Encrypt or soon are (#676). TODO: more technical details h2. DANE "DANE":https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities is a security protocol used to reinforce TLS certificate validation by publishing certain information in the DNS. It requires your DNS zones to be secured using "DNSSEC":https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions. h3. Current Status Our zones are DNSSEC secured and we publish DANE-EE TLSA DNS records for the leaf certificates. When possible services are configured to validate if the records are available (Postfix at least). Services supporting DANE (or WIP): * Postfix * Web vhosts do not have a TLSA record yet, but this is coming (#675). h3. Checking DANE The "danetls":https://github.com/shuque/danetls tool is not packaged but there is a web service called "danecheck":https://www.huque.com/bin/danecheck by the same author. h3. DANE adoption These are just notes to check on DANE adoption in various client software. * HTTPS: "plugins for majors browsers were developed and abandoned":https://www.dnssec-validator.cz/ because necessary API support in the browsers vanished and there is no replacement * SMTP: seems to have gained traction, suggested by the various checkers, Postfix supports it and we support it (see [[Mail]]) * IMAP/POP3: "Thunderbird integration was refused":https://bugzilla.mozilla.org/show_bug.cgi?id=1479423 because it needs to be integrated in Firefox core first, but the "Firefox integration":https://bugzilla.mozilla.org/show_bug.cgi?id=672600 does not seem to go anywhere * IRC: "Weechat integration":https://github.com/weechat/weechat/pull/121 is not making much progress despite a patch being available * XMPP-c2s: ??? * XMPP-s2s: Prodosy has an "experimental module":https://modules.prosody.im/mod_s2s_auth_dane.html but it is unmaintained and supposed to crash sometimes (according to the known issues)