On Oct 12, 2012, at 9:45 AM, Tony Finch wrote: > Marc Lampo <[email protected]> wrote: > >> Before the draft was adopted as RFC I asked how to cope with proxies. > > Why are proxies a problem for DANE in particular, rather than TLS in > general?
Because how the proxies work is they add an additional root key into the (victim) browser during some form of configuration. DANE makes the injected root key no longer valid. Of course, certificate pinning and other techniques has the same problem, and IMO, killing the idea of TLS proxies is a feature, so DANE's general incompatibility with TLS proxies is a feature, not a bug. _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
