PKA support

[Klaus Ethgen]

Hi,

it will really get out of topic, however, lets summarize it a bit.

Am Do den  9. Apr 2026 um 18:07 schrieb Chandler Davis:
> Sorry to go off topic, and that I don???t have an answer to the
> question, but am curious about:
> 
> > broken CA based system
> 
> What about it is broken? I understand it has its flaws but
> haven???t come across a particularly strong distaste for it
> before.

- The system relies on the weakest point in all CA's. And there are
  really weak in the usual browsers/systems. (Why would you trust any of
  them?)
- The only solution would be DNSSEC + TLSA but even such browsers as
  firefox broke solutions at best and all are working against it as it
  would make all business models of CA's obsolete.
- All "solutions" to fix the issue makes it even worse like CAA or other
  "solutions" from Google.
- Making SSL invisible by allowing transparent to encrypt stuff (As TLS
  is doing but that therm is made weak as it is used for SSL to today).
  This is no problem of the system itself but play in that game. I don't
  want a SSL encrypted connection unable to talk plain text.

> > forces me to renew my certs every month or even more often.
> 
> Probably quite annoying if you???re not using ACME, but??? why not
> use ACME?

Well, I will never allow some crappy cloud service to change my
configuration all the time. I want to have control over it.

5 years for a new cert is good. 2 years are ok(ish) and 1 year is
already a pain but shorter is not bearable!

Regards
   Klaus
-- 
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <Klaus at Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 728 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20260409/3791ba56/attachment.sig>