David Cross @david@mastodon.crossfamilyweb.com

Another (trivial) patch accepted to #FreeBSD kernel. Will get that core commit back. Patch by loving patch!

@bcallah you’re welcome 😂

@lattera could you do this via nice(2) and not be overly specific? I guess the question is, what does prioritization of VMs look like that isn’t nice(2)?

I am such a lightweight. 2 margaritas totally makes me tipsy now

Ohhhhh. Another

Best one I have seen so far

@mwlucas in your section on being your own CA, are you covering openssl native commands? what about multi-level/intermediate CAs and setting CA path length maximums? I ask since I recently had to integrate a system that wanted to be its own CA, and I was like 'nah, I already got a CA' so I delegated it a sub CA with restrictions.

(yes, I have an overly complex home network)

@philpennock @22decembre @mwlucas I just uses the standard CA infrastructure that everyone else uses. Is that 'too big to fail'? I think you HAVE to support the CA infrastructure; but that doesn't mean you need to ONLY support the CA infrastructure, and you get enough things ALSO supporting DANE, and you can slowly ween people off of the CAs... kinda like how we're trying to get IPv6, or ESNI, or even SNI in the first place

@mwlucas @22decembre this reminds me of cloudflare's business model. Everything they do/support (ESNI, DoH, DNS) works better/faster if you are their customer, and slower than before if you are not.

@mwlucas @22decembre Never thought about it.

But the question is 'why?' they don't love the CA cartel, they've undercut the CAs at every opportunity. Their solutions of certificate pinning, certificate transparency, have been shown to be snakeoil and crap at every turn... What do they get by opposing DANE/DNSSEC... ESPECIALLY as they support a DNS powered ESNI?

@22decembre @mwlucas Yeah, and their arguments are totally BS, and their duplicity is laid bare by their own support of ESNI which.. puts public keys in DNS for SSL requests!

Google's take is likewise poor.

I think a grassroots campaign needs to be waged. Start embedding it in projects and libraries. For example imagine if mastodon for its federation protocol supported DANE.

@florian @mwlucas
DNSSEC no need to 'hope' for anything.

@VerdanuOsane@mstdn.io 😐

@mwlucas We need to get DANE adopted, all of these CA SSL workarounds just SUCK.

And with ESNI they're not even bothering to pretend that a DNS lookup per request or putting public key information in DNS is "bad" anymore,

@mwlucas Hey, Certificate Transparency solves all 🤮 Have I introduced you to my lord and savior #DANE? :)

And... back is it 2022 yet?

@lattera 100gb of memory?! 😱

@bcallah last 4 months?! It is still March!

@bcallah it is still March!!