@mwlucas We need to get DANE adopted, all of these CA SSL workarounds just SUCK.
And with ESNI they're not even bothering to pretend that a DNS lookup per request or putting public key information in DNS is "bad" anymore,
@22decembre @mwlucas Yeah, and their arguments are totally BS, and their duplicity is laid bare by their own support of ESNI which.. puts public keys in DNS for SSL requests!
Google's take is likewise poor.
I think a grassroots campaign needs to be waged. Start embedding it in projects and libraries. For example imagine if mastodon for its federation protocol supported DANE.
@philpennock @22decembre @mwlucas I just uses the standard CA infrastructure that everyone else uses. Is that 'too big to fail'? I think you HAVE to support the CA infrastructure; but that doesn't mean you need to ONLY support the CA infrastructure, and you get enough things ALSO supporting DANE, and you can slowly ween people off of the CAs... kinda like how we're trying to get IPv6, or ESNI, or even SNI in the first place