On Wed, Nov 14, 2012 at 11:02 AM, Tony Finch <[email protected]> wrote: > Ben Laurie <[email protected]> wrote: > > > At the CT BoF the question was raised: what about DANE? > > > > Which is a good question. So, I think Google is prepared to > > contemplate running a CT log for DANE, but this leaves some > > questions... > > What problem would CT for DANE be aiming to fix? >
I see a number of issues that need fixing: 1) Domain hijacking DANE certificates are only as secure as the DNS names they are attached to. DNS hijacking occurs at a rate well in excess of 10,000 names a year and is probably much much higher if we could get better numbers. At present the DNS name owner (and it is the owner, regardless of what idiot lawyers claim) has to rely on their registrar to be competent and on the processes at the registry and to a certain extent on the honesty of other registrars. This whole area is essentially opaque, there is no documentation for most of the processes on which businesses are forced to rely. 2) Root jacking Russia and China are just not going to be recognizing the ICANN roots dudes. They have been telling everyone who will listen that they are going to fork the root and they have a big enough fraction of the population of the planet to make it stick. So people can do the ostrich head in the sand thing or they can anticipate this attack and think about ways to neutralize it. 3) Demonstrate continuity In the case that a DNS name changes hands I do not necessarily want to be sending the new information the confidential data I would have sent the old one. Lacking the ability to establish an external validation of the source, this means I am much more interested in determining the lineage of credentials. Or it could just be that the DANE people have created an absolutely perfect system that is beyond any possible reproach and the fact that nobody seems to be implementing it beyond limited scale trials and plugins is due to the inability of everyone else to fully appreciate their awesomeness. -- Website: http://hallambaker.com/
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
