PKI » History » Revision 4
Revision 3 (Marc Dequènes, 2020-04-06 14:42) → Revision 4/7 (Marc Dequènes, 2020-04-06 15:27)
h1. PKI h2. Self-Signed CAs h3. Current Status These self-signed Cas are in use in DC's infrastruture: * _duckcorp_ : the main CA, we plan to continue using it for non-user-facing services * _duckcorp-backup_ : used for our backup software to secure TLS communications * _duckcorp-monitoring_ : used for our monitoring software to secure TLS communications The _duckcorp-backup_ and _duckcorp-monitoring_ CAs could have been sub-CAs but our tool does not support it. We use project:mkcert manually to generate and renew certificates. It can be run in place in our infra repository, as described in source:README.md. TODO: more technical details h2. Let's Encrypt h3. Current Status All user facing services are using Let's Encrypt or soon are (#676). TODO: more technical details h2. DANE "DANE":https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities is a security protocol used to reinforce TLS certificate validation by publishing certain information in the DNS. It requires your DNS zones to be secured using "DNSSEC":https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions. h3. Current Status Our zones are DNSSEC secured and we publish DANE-EE TLSA DNS records for the leaf certificates. Services supporting DANE (or WIP): * Postfix * Web vhosts do not have a TLSA record yet, but this is coming (#675). h3. Checking DANE The "danetls":https://github.com/shuque/danetls tool is not packaged but there is a web service called "danecheck":https://www.huque.com/bin/danecheck by the same author. h3. DANE adoption These are just notes to check on DANE adoption in various client software. * HTTPS: "plugins for majors browsers were developed and abandoned":https://www.dnssec-validator.cz/ because necessary API support in the browsers vanished and there is no replacement * SMTP: seems to have gained traction, suggested by the various checkers, Postfix supports it and we support it (see [[Mail]]) * IMAP/POP3: "Thunderbird integration was refused":https://bugzilla.mozilla.org/show_bug.cgi?id=1479423 because it needs to be integrated in Firefox core first, but the "Firefox integration":https://bugzilla.mozilla.org/show_bug.cgi?id=672600 does not seem to go anywhere * IRC: "Weechat integration":https://github.com/weechat/weechat/pull/121 is not making much progress despite a patch being available * XMPP-c2s: ??? * XMPP-s2s: Prodosy has an "experimental module":https://modules.prosody.im/mod_s2s_auth_dane.html but it is unmaintained and supposed to crash sometimes (according to the known issues)