@mwlucas while you are rightfully trouncing CAs, are you covering alternatives like DANE? Also do you cover being your own CA and the options for how to do it like setting up your own crl and ocsp server and ocsp stapling?
@mwlucas oh. Something I forgot to mention. One thing I’ve noticed is that I’ve been noticed. I see regular probes to my ocsp server from google, microsoft, and apple
@david
DANE is in the DNSSEC book. Probably doing a new rev of that next.
Your own CA is a possibility. Debating that. I really want this to be a shorter book.