Marc S. Weidner BOT
e0905e1f7c
X-CI-Metadata: master@47b20f7 at 2025-06-06T17:04:41Z on be9158e29fc7
Generated at: 2025-06-06T17:04:41Z
Runner Host : be9158e29fc7
Workflow ID : 🔁 Render RFCXML to PDF.
Git Commit : 47b20f7 HEAD → master
Table of Contents
1. RFC I-D draft-weidner-catalog-rr-ext
Centurion Intelligence Consulting Agency Information Security Standard
RFC I-D draft-weidner-catalog-rr-ext
Master Version: 1.00
Build: V1.01.192.2025.06.06
The RFC I-D draft-weidner-catalog-rr-ext proposes an extension to the Certification Authority Authorization (CAA) DNS Resource Record (RR) that enables the mandatory or optional binding of Certificate Transparency (CT) Log URIs directly within DNS. By embedding CT-Log endpoints in CAA RR, Certification Authorities (CAs) gain a standardized, discoverable mechanism for retrieving preferred and permitted CT-Log endpoint information, thereby enhancing the security and auditability of X.509 TLS certificate issuance.
- The most recent working version of this document, open issues, and related resources are available here.
- The author gratefully accepts pull requests.
- The author's PGP keys are available at:
/.pubkey
Check out more:
- CenturionNet Services
- CenturionDNS Resolver
- CenturionDNS Blocklist
- CenturionNet Status
- CenturionMeet
- Contact the author
1.1. Preliminary Remarks
1.1.1. HSM
Please note that all my signing keys are stored in an HSM and that the signing environment is air-gapped. The next step is to move to a room-gapped environment. ^^
1.1.2. DNSSEC, HSTS, TLS
Please note that coresecret.dev is included in the (HSTS Preload List) and always serves the headers:
add_header Expect-CT "max-age=86400, enforce" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
- Additionally, the entire zone is dual-signed with DNSSEC. See the current DNSSEC status at: DNSSEC Audit Report
- A comprehensive TLS audit of the
git.coresecret.devGitea server is also available. See: TLS Audit Report - The infrastructure of the
Centurion NetDeveloper Branch is visualized here. See: Centurion Net
1.1.3. Gitea Action Runner Hardening
The CI runners operate on a dedicated host system located in a completely separate Autonomous System (AS). This host is solely
dedicated to providing CI runners and does not perform any other tasks. Each runner is hermetically isolated from others using
non-privileged, shell-less user accounts with no direct login capability. Additionally, each runner executes within its own
separate directory tree, employs DynamicUser features, and adheres to strict systemd hardening policies (achieving a systemd-analyze security
rating of 2.6). Docker containers used by runners do not run in privileged mode. Security is further enhanced through the use
of both UFW software firewalls and dedicated hardware firewall appliances.
1.2. Versioning Schema
This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
Example: 1.00.128.2025.06.03
x.y.z represents major (x), minor (y), and patch (z) version increments.
Date (YYYY.MM.DD) denotes the build or release date, facilitating clear tracking of incremental changes and ensuring reproducibility and traceability.
3. Licensing & Compliance
This repository is fully SPDX-compliant. All source files include appropriate SPDX license identifiers and headers to ensure clear and unambiguous licensing. You can verify compliance by reviewing the top of each file, which follows the SPDX standard for license expressions and metadata.
4. Disclaimer
This README is provided "as-is" without any warranty.
no tracking | no logging | no advertising | no profiling | no bullshit