On Fri, Oct 12, 2012 at 9:28 AM, Marc Lampo <[email protected]> wrote: > Before the draft was adopted as RFC I asked how to cope with proxies. > On Sector 2012, last week, I was quite shocked to hear a speaker (also > reading this, I assume) to simply state to get rid of them ! > I'd rather see continued work on how to make the principle of DANE > apply/work even in the presence of proxies.
There are no proxies defined for TLS at least in the IETF context. TLS is an end-to-end protocol. What you call a proxy is performing a man-in-the-middle attack on the protocol. It succeeds by inserting a "proxy" certificate in the user's trusted CA list. In that context it is good that DANE detects those attacks. I suppose that such "proxies" would just insert their key as a DNSSEC root key. regards, Nikos _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
