On 31-05-13 17:34, Jakob Schlyter wrote:
On 30 maj 2013, at 16:55, Ben Laurie<[email protected]> wrote:
a) It introduces latency, and
so does checking revocation lists and OCSP.
b) It isn't reliable, so cannot be hard-fail.
I'm a bit disappointed that browsers vendors are not willing to
implement new protocols, like DANE, just because there exists
clients out there that cannot reliable use them. I'm not saying we
should enable these features by default, but to be able to test them
and learn more we need them in something that is not an experimental
build.
To Jacob. As you work at a CA, I have this wish:
I would love to see the CA-industry promote TLSA records for every
server certificate they sign. When I apply/renew a certificate the CA
gives me the correct RR-line, ready to include in my DNS(SEC)-records.
DANE usage 0 is the missing link between (domain)name and signer,
something that was envisioned with ISO-x500 directory but never
materialised.
Could you poke some people from the inside at your CA to consider it. I
don't think it is a lot of work. If I'm not mistaken, with usage 0, it
would be the same for each certificate signed with the CA's Root. (But
what do I know, I'm just a beginner. ;-) )
I would even stretch my neck out and claim that the additional
controls provided by using DANE with certificate use 0/1 (i.e.
backed by classic PKIX) would make sense even without DNSSEC. I know
this is a very dangerous path and may dragons lure along it, but I
still believe this is something we should explore further.
It would not give much security benefits without Perspectives, Cert
Patrol and others, but it is a little extra work for MitM-boxes to keep
up their appearance.
And it certainly help solving the chicken and egg problem we have now.
So please pursue that path.
Respectfully, Guido.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
