On 14 November 2012 16:30, Paul Wouters <[email protected]> wrote: > On Wed, 14 Nov 2012, Ben Laurie wrote: > >>>> At the CT BoF the question was raised: what about DANE? >>>> >>>> Which is a good question. So, I think Google is prepared to >>>> contemplate running a CT log for DANE, but this leaves some >>>> questions... >>> >>> >>> What problem would CT for DANE be aiming to fix? >> >> >> By all means add that to the list of questions :-) >> >> But I assume the same problem CT already fixes: misissuance of certs >> (which in the DNSSEC world I guess mostly boils down to bad >> delegation). > > > Does that make sense though? With RRSIG validity times and TTL's you > can set your "damange period" as small as you want. There is no issue > like with certificates where your credentials can be abused for up to > 12 months. > > The only use I could see is as an alternative mechanism to transfer these > records into the application that does not require a clean DNS transport. > > I think CT is a bandaid for PKIX that does not apply to DANE. > > I think the problem with DANE/DNSSEC right now is the additional latency > and dns transport issues (hotspots, VPN, etc) but I don't think CT is > very well suited to address those.
a) Why would an attacker use your validity times? b) Weren't you amongst those asking for CT to support DANE during the BoF? I disagree that CT is a bandaid for anything, BTW - it is a useful mechanism in its own right. _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
