Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
mastodon.world is one of the many independent Mastodon servers you can use to participate in the fediverse.
Generic Mastodon server for anyone to use.

Administered by:

Server stats:

9.2K
active users

mastodon.world: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

#Introducing

0 posts0 participants0 posts today
Public
Christian

🚨 Fixing the PKI Mess: CAA + Your Own CA via DNS 🚨

Right now, any CA can issue a certificate for your domain. Even if you set a CAA record (`issue "letsencrypt.org"`), it only controls *who* can issue, not what cert is valid. This is broken.

🔐 What if we could fix this using DNS?

#Introducing CAA+CA Fingerprint: Self-Sovereign Certificate Authority
Instead of just saying *which CA can issue*, you publish your own CA's fingerprint in DNS. If your CA issues a cert for `awesomecars.com`, browsers should validate it against the DNS-published CA key.

🔥 How It Works
You run your own CA (because why trust the cartel?). You then publish:
1️⃣ A CAA record specifying your own CA (with a fingerprint! 🔥)
2️⃣ A DNS record with your CA’s public key (like DKIM but for TLS!)

🔹 Example DNS Setup for `awesomecars.com`:
```
awesomecars.com. IN CAA 0 issue "pki.awesomecars.com; sha256=abcd1234..."
pki.awesomecars.com. IN CERT 6 0 0 (--BEGIN CERTIFICATE-- ....)
```
Now, only certs signed by your CA are valid for `awesomecars.com`, even if another CA is tricked into issuing a rogue cert. No more CA hijacking!

🚀 Why Is This Better Than the Current CA Model?
✅ Self-Sovereign Identity: If you own the domain, you should own its PKI.
✅ Prevents Rogue Certs: No government or rogue CA can fake a cert for your domain.
✅ Works Like DKIM for Email: Your CA’s public key is stored in DNSSEC-protected records, just like DKIM keys for email signing.
✅ No More External Trust Issues: You control your CA entirely, instead of relying on Google’s CA store.
✅ Perfect for Self-Hosting & Internal Networks: No need for external CA trust—your DNS is your trust model.

🔥 Why Isn’t This a Thing Already?
Big Tech hates this idea because it removes their control:
❌ Google wants Certificate Transparency (CT), where they control which certs are logged.
❌ Commercial CAs make $$$ selling certs. This kills their business.
❌ DNSSEC adoption is intentionally kept low by the same companies who don’t want this to succeed.

Browsers refuse to support TLSA for the same reason—they want centralized CA trust, not self-hosted PKI.

🔗 Who Needs to Implement This?
🚀 Self-hosters & Homelabs: Use this for your own infrastructure.
🚀 Email providers: Stop relying on public CAs!
🚀 Privacy-focused projects (Tor, Matrix, XMPP, Fediverse, etc.): A true decentralized PKI alternative.
🚀 Fediverse devs: Let’s push for DNS-based CA validation!

What do you think? Would you trust your own CA in DNS over some random commercial CA?

🔁 Boost this if you want a decentralized PKI revolution!

🔥 This keeps the focus on self-hosting your own CA, highlights the security flaws of current PKI, and calls out Big Tech’s resistance to decentralized trust.

#PKI#Security#DNSSEC
Public *
Just Bob 🇺🇲♒🐧🪖

Introducing 𝐓𝐢𝐝𝐲 𝐒𝐞𝐚𝐫𝐜𝐡:⁣

Like the 𝐅𝐞𝐝𝐢𝐯𝐞𝐫𝐬𝐞 and 𝐗𝐌𝐏𝐏, The plan is to share the work on any platform (OS) and any environment. By using a "protocol" like 𝐀𝐜𝐭𝐢𝐯𝐢𝐭𝐲𝐏𝐮𝐛, the goal is to have a decentralize search engine and having multiple systems building the index. Possibly even your phone with your consent of course.⁣

With all the corporate systems using 𝐀𝐈, that is the last thing we want. We do not want 𝐒𝐤𝐲𝐧𝐞𝐭. We also, do not want any kind of tracking like the corporations nor advertising. Using the same concepts as XMPP and ActivityPub, this is how we at 𝐌𝐏𝐀𝐐 are 𝘵𝘢𝘬𝘪𝘯𝘨 𝘵𝘩𝘦 𝘪𝘯𝘵𝘦𝘳𝘯𝘦𝘵 𝘣𝘢𝘤𝘬, like it was back in the 𝐁𝐁𝐒 days.⁣

A couple weeks ago, I started writing in PHP for MySQL database. I'd love to see anyone else that knows other langues, that would like to build a version. You can use it at search.mpaq.org At this point, it needs an API that has "key" updating, but like the Fediverse, the data should be accessible with JSON code.⁣ Indexing 10 websites with over 3,000 pages and now adding #news sites.

#Introducing#Intro#Introduction
Public
Alan Summers

Our popular longstanding beginners course, Introducing...Haiku will be starting again on 7th January 2025.

This course is suitable for complete beginners (at haiku, or at creative writing), but at the same time stimulating enough to introduce haiku as a new form to those who are already writing poetry or prose, or even as a refresher for experienced haiku writers.

callofthepage.org/courses/haik

www.callofthepage.orgCall of the Page - One-Line HaikuNew page
#introducing#haiku#course
Public
Alan Summers

Our popular longstanding beginners course, Introducing...Haiku will be starting again on 7th January 2025.

This course is suitable for complete beginners (at haiku, or at creative writing), but at the same time stimulating enough to introduce haiku as a new form to those who are already writing poetry or prose, or even as a refresher for experienced haiku writers.

callofthepage.org/courses/haik

www.callofthepage.orgCall of the Page - One-Line HaikuNew page
#introducing#haiku#course
ExploreLive feeds
About