On Wed, 14 Nov 2012, Ben Laurie wrote:
At the CT BoF the question was raised: what about DANE?
Which is a good question. So, I think Google is prepared to
contemplate running a CT log for DANE, but this leaves some
questions...
What problem would CT for DANE be aiming to fix?
By all means add that to the list of questions :-)
But I assume the same problem CT already fixes: misissuance of certs
(which in the DNSSEC world I guess mostly boils down to bad
delegation).
Does that make sense though? With RRSIG validity times and TTL's you
can set your "damange period" as small as you want. There is no issue
like with certificates where your credentials can be abused for up to
12 months.
The only use I could see is as an alternative mechanism to transfer these
records into the application that does not require a clean DNS transport.
I think CT is a bandaid for PKIX that does not apply to DANE.
I think the problem with DANE/DNSSEC right now is the additional latency
and dns transport issues (hotspots, VPN, etc) but I don't think CT is
very well suited to address those.
Paul
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
