PKI » History » Version 4
Marc Dequènes, 2020-04-06 15:27
| 1 | 1 | Marc Dequènes | h1. PKI |
|---|---|---|---|
| 2 | |||
| 3 | h2. Self-Signed CAs |
||
| 4 | |||
| 5 | 3 | Marc Dequènes | h3. Current Status |
| 6 | 1 | Marc Dequènes | |
| 7 | 3 | Marc Dequènes | These self-signed Cas are in use in DC's infrastruture: |
| 8 | * _duckcorp_ : the main CA, we plan to continue using it for non-user-facing services |
||
| 9 | * _duckcorp-backup_ : used for our backup software to secure TLS communications |
||
| 10 | * _duckcorp-monitoring_ : used for our monitoring software to secure TLS communications |
||
| 11 | 1 | Marc Dequènes | |
| 12 | 3 | Marc Dequènes | The _duckcorp-backup_ and _duckcorp-monitoring_ CAs could have been sub-CAs but our tool does not support it. |
| 13 | 1 | Marc Dequènes | |
| 14 | 4 | Marc Dequènes | We use project:mkcert manually to generate and renew certificates. It can be run in place in our infra repository, as described in source:README.md. |
| 15 | 3 | Marc Dequènes | |
| 16 | 1 | Marc Dequènes | h2. Let's Encrypt |
| 17 | |||
| 18 | 3 | Marc Dequènes | h3. Current Status |
| 19 | 1 | Marc Dequènes | |
| 20 | 3 | Marc Dequènes | All user facing services are using Let's Encrypt or soon are (#676). |
| 21 | |||
| 22 | TODO: more technical details |
||
| 23 | |||
| 24 | 1 | Marc Dequènes | h2. DANE |
| 25 | |||
| 26 | 3 | Marc Dequènes | "DANE":https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities is a security protocol used to reinforce TLS certificate validation by publishing certain information in the DNS. It requires your DNS zones to be secured using "DNSSEC":https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions. |
| 27 | 1 | Marc Dequènes | |
| 28 | 3 | Marc Dequènes | h3. Current Status |
| 29 | |||
| 30 | Our zones are DNSSEC secured and we publish DANE-EE TLSA DNS records for the leaf certificates. |
||
| 31 | |||
| 32 | Services supporting DANE (or WIP): |
||
| 33 | * Postfix |
||
| 34 | * Web vhosts do not have a TLSA record yet, but this is coming (#675). |
||
| 35 | |||
| 36 | h3. Checking DANE |
||
| 37 | |||
| 38 | The "danetls":https://github.com/shuque/danetls tool is not packaged but there is a web service called "danecheck":https://www.huque.com/bin/danecheck by the same author. |
||
| 39 | |||
| 40 | h3. DANE adoption |
||
| 41 | |||
| 42 | These are just notes to check on DANE adoption in various client software. |
||
| 43 | |||
| 44 | * HTTPS: "plugins for majors browsers were developed and abandoned":https://www.dnssec-validator.cz/ because necessary API support in the browsers vanished and there is no replacement |
||
| 45 | * SMTP: seems to have gained traction, suggested by the various checkers, Postfix supports it and we support it (see [[Mail]]) |
||
| 46 | * IMAP/POP3: "Thunderbird integration was refused":https://bugzilla.mozilla.org/show_bug.cgi?id=1479423 because it needs to be integrated in Firefox core first, but the "Firefox integration":https://bugzilla.mozilla.org/show_bug.cgi?id=672600 does not seem to go anywhere |
||
| 47 | * IRC: "Weechat integration":https://github.com/weechat/weechat/pull/121 is not making much progress despite a patch being available |
||
| 48 | * XMPP-c2s: ??? |
||
| 49 | * XMPP-s2s: Prodosy has an "experimental module":https://modules.prosody.im/mod_s2s_auth_dane.html but it is unmaintained and supposed to crash sometimes (according to the known issues) |