Sharing some thoughts after staring at some home packet captures. OCSP is as bad for privacy as plain text SNI http://blog.seanmcelroy.com/2019/01/05/ocsp-web-activity-is-not-private/
A few things about this:
1. No certificate transparency, but since that's to keep CA's honest, seems superfluous in this setup
2. Requires client-side DNSSEC and DANE validation, but we should have that anyway
3. No revocation possible, but if since clients could validate domains on their own with DNSSEC and DANE, and if validity periods were short, does it really matter?
So, infosec.exchange, seems like infosec social media is done with EV and commercial CA's, but praises Let's Encrypt. But, why do we even need an intermediary if all they do is DV? Seems like the plumbing is there to remove 3rd party assertions and trust if encryption is the objective:
1. Generate pub/priv keypair
2. Create X.509 cert (maybe a max validity of 7 days or something short)
3. Sign it with priv keypair
4. Enable DNSSEC (I know, I know)
5. Publish DANE TLSA record matching cert
I could stand to learn much more about lattice based crypto. Bookmarking this for later: https://intensecrypto.org/public/
BEGIN KEYBASE SALTPACK SIGNED MESSAGE. kXR7VktZdyH7rvq v5weRa0zkEJzcAN Yv0b9xHU6rZX8bK x8xldkGFGgs9CHH p0DjRFybXvnGKqJ jH4P7gRMxz2TGss G2vay5iQ2DHn1Sc MgPDA0a00Lt6aPY HavsdDjHcF035qq K6DTwYCTcANNeJu HpphuI8ooMldYmJ QprbKnFVKMImXSb 1xVJaa5Q9H2SNLH fxLQbFluxQYibio dbDB31LqeoSR64i SbsqTnwcI0me9UA dEFGnFua6HOA. END KEYBASE SALTPACK SIGNED MESSAGE.