[TriLUG] The sad state of sysadmin in the age of containers

Randy Barlow via TriLUG trilug at trilug.org
Wed Mar 18 17:50:14 EDT 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 03/13/2015 04:21 PM, Igor Partola via TriLUG wrote:
> As far as the CA system goes, I have an idea that is like quite a
> bit: when you buy a domain name, your registrar gives you a local
> CA keypair (or rather you generate one and they sign it), giving
> you the ability to create unlimited certificates for your domain
> only. Essentially, you and only you may generate certificates for
> example.com or *.example.com if you own example.com. The registrar
> then revokes any previously issued CA keypair signatures they
> issues for example.com, if they have not expired on their own.

I like this idea. I've been thinking about this problem a bit lately
myself. Of course, you'd still also need a way to communicate securely
while you retrieve the DNS records, so you know which registrar's CA
you should be checking the domain CA against. I've heard people say
the word "DNSSEC" before, but I get glossy eyed when I hear it.
Perhaps I should look into that ☺

- -- 
Randy Barlow
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVCfMWAAoJEHhEzLg73SRi774QAJ00Tkp80CAkdBVWuErFIKwd
qkPBkgaIgI8zAhnO7CkCIMIxBSdm3kCxVeGedAIFut02oQ5ZwTQM4Zke54OgC8RQ
rLGDPbeKJwagzOXAj+Ax1A/u0ismdTdVXT01Nu4gaJKfuuBFpC9a2iNaETgmFSIR
MPnnxr/Qpi1CnkjMlzBK7RUr312/3k20nBHUE4aDD6hqsdWbKprqCpkpseWABOLW
KvAFRtWW9t8M/Z5ZL+h49WIIuhx+HmFjnQo5c18AT4jfeoYbgchR0v/nU8DiTFJD
QmaMHP1Yqz3IyQ42DZUnmCtqCSfLF+f8JqtEZv4KMrfJAMP5G2xlr8ESCtPvhkkD
ShkGSXAodbiqPbA60XRRscFcvF80WCmJlmopOq6KxcaasM8WUQtvki7NKnTHTdbe
HcI8D9Dh5K45DzpUKXGFmKMyEYpiUA0ccZCQHkhv7baMnPnt4hjK+T02Ff6z8kAc
XzS0mPN/r4GlFdIsC0JrsHvYee41dOc5DgMytnuYrk/HDWVCXCj1xGTuoCyeEjC0
V/g+0vkYF6wkfkcQVWYMya31WsnTk/3Ps+bPL7z4OFyYAvzNvXIbsKxf+BXmHvsg
++qrxQZTvFoirKdUlDH5wzqb1ZhU4C3imdRr+Z56cOPAUBdp1x5SXvIv+4/NIgC2
jWS040otdSDZck2/wPU1
=2L1W
-----END PGP SIGNATURE-----


More information about the TriLUG mailing list