Please consider enabling OCSP stapling, DNSSEC, and/or DANE on *.reproducible-builds.org

Mattia Rizzolo mattia at mapreri.org
Mon Apr 17 12:33:05 UTC 2023 

Hello John,

On Sat, Apr 15, 2023 at 02:38:04AM +0000, John Scott wrote:
> OCSP stapling is the modern, privacy-friendly way to determine a certificate's revocation status. It incurs very little overhead on the server side. One can use curl to check if OCSP stapling is working, at least for HTTPS:
> 
> $ curl --cert-status https://reproducible-builds.org
> curl: (91) No OCSP response received

You are quite right on this.

I personally never bothered enabling OCSP stapling despite knowing of
it, but it's something that I can totally look into and do.

> OCSP stapling is useful for other TLS applications, however, including for SMTP on the list server.

I'm not aware of any way to do OCSP in postfix?

> Enabling DNSSEC mitigates DNS spoofing and also ascertains the authenticity of DANE records.

We have no excuses for not having enabled DNSSEC long ago: our DNSs are
hosted by Gandi, which handles DNSSEC with a single button.

Just to be on the safe side, I've now tried to enable DNSSEC on
reproducible.build and diffoscope.org, and if nothing weird happen I'll
also switch on reproducible-builds.org.

> DANE mitigates so-called "SSL stripping" attacks and allows users to validate the authenticity of the TLS certificates without having to rely on the traditional problematic certificate authority system.


DANE of course comes only after DNSSEC (otherwise it's pointless…).

I have in program some work to our email setup (not strictly related to
the lists), so I'll check the DANE-related configurations in the coming
weeks.

-- 
regards,
                        Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540      .''`.
More about me:  https://mapreri.org                             : :'  :
Launchpad user: https://launchpad.net/~mapreri                  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20230417/4a07cc7e/attachment.sig>

More information about the rb-general mailing list