Jakob Schlyter

The next root zone KSK has been published: dnsviz.net/d/root/Z4IS8Q/… It will coëxist with the current KSK for some time, giving resolvers many opportunities to update and eventually cut over to the new KSK.

Some things in life are rare compliments. This being one.

From the TLS newsletter: With RFC 9495, CAA has been extended to control issuance of S/MIME certificates. buff.ly/47e0vg9

The Draft Report of the Root Zone DNSSEC Algorithm Rollover Study is now out of the box at icann.org/en/public-comm…

In 1984, the Naval Institute Press took a chance on a book by an unknown author that went on to become a bestseller. This clip is of Tom Clancy making his first national TV appearance on Good Morning America to discuss The Hunt for Red October. #BookLoversDay

Story I wrote about backdoor in TETRA radio standard got lots of interest, with many calling out ETSI for keeping the encryption algorithms secret. I decided to publish my entire interview with Brian Murgatroyd of ETSI so readers can see his justifications zetter.substack.com/p/interview-wi…

From the TLS newsletter: There’s a new website dedicated to ACME and the surrounding ecosystem. buff.ly/3XsI1EV

Parsing time stamps faster with SIMD instructions In software, it is common to represent time as a time-stamp string. It is usually specified by a time format string. Some standards use the format %Y%m%d%H%M%S meaning that we print the year, the month, the day, the hours, the minutes and the seconds (e.g., 20230701205436). It is convenient because it is short, easy to read and if you sort the strings lexicographically, you also sort them chronologically. You can generate time stamps using any programming language. We are interested in the problem of parsing these strings. In practice, this means that we want to convert them to an integer presenting the number of seconds since the Unix epoch. The way you typically solve this problem is to use something like the C function strptime. Can we do better? Yes. We can go much faster. Find out how at: lemire.me/blog/2023/07/0… cc @NLnetLabs

If you have not read the EU Council Legal Service opinion on the EU's #ChatControl proposal — their version of the #OnlineSafetyBill spyware clauses — you really should. It is *damning* about EU/UK state anti-encryption proposals: Extracts below; src: aeur.eu/f/6ql

A new proposal makes revocation and OCSP infrastructure OPTIONAL for short-lived (< 10 day) certificates: github.com/cabforum/serve… The beginning of the end of cert revocation!! 🙌

Simdzone, our super fast #DNS zone file parser, will be maintained as a standalone project. We now took another step towards a releasing as part of NSD with support for makefile based builds. github.com/NLnetLabs/simd…

Bulletproof TLS Newsletter 100 is out!! 🎉 To celebrate this milestone AND ten years of OpenSSL Cookbook, we have relicensed OpenSSL Cookbook under the Creative Commons Attribution-NonCommercial license. We hope this will lead to new translations. feistyduck.com/bulletproof-tl…

Peter Gutmann has a delightful one-page paper on post-quantum crypto... cs.auckland.ac.nz/~pgut001/pubs/…

Nej, uppgifter i media och här på twitter om att Moderaterna och regeringen har sagt ja till EU-kommissionens förslag om ” Chat Control ” (massövervakning av kommunikation på nätet) stämmer inte. Så här ligger det till: ericsoniubbhult.se

OpenSSL support for RFC7250 raw public keys has been merged into the 3.2 development branch (master): #event-8868235464" target="_blank" rel="nofollow noopener">github.com/openssl/openss… This supports trust validation via DANE TLSA records! I have pre-release code that adds DANE-with-RPK support to Postfix: github.com/vdukhovni/post…

@davidbrax 🐓 or 🥚 – ☕️ or ☀️

Github just rolled their compromised RSA-key - perhaps it is time to implement DNSSEC with SSHFP? (cc @_mph4 @GitHubSecurity)

Call for applications! Only a few days left until the deadline for applications for the DNS Hackathon 2023. Don’t miss out. Send your application now. For more details and ideas of some possible projects, read here netnod.se/join-the-dns-h… @dnsoarc @ripencc #RIPE86 #DNSHackathon

@VDukhovni Who provides such bad advice?

The .ht TLD (Haiti) is now signed: dnsviz.net/d/ht/ZA-egg/dn… The main nit is that the RSA keys are too beefy: a 4096-bit KSK and a 2048-bit ZSK. A better choice would be ECDSA P256, or with RSA a 2048-bit KSK and a 1280-bit ZSK. A lesser nit is 10 NSEC3 iterations rather than 0.

Honored to represent @googlechrome at the CA/Browser Forum Face-to-Face Meeting 58. We announced a few exciting updates, including results from our recent CA survey. Learn more here: drive.google.com/file/d/1M71yS4… Let’s keep working together to make the web a safer place. 🚀🔒🔑