On Sat, Jun 01, 2013 at 08:47:42AM +0200, Jakob Schlyter wrote:
> > I would love to see the CA-industry promote TLSA records for every
> > server certificate they sign. When I apply/renew a certificate the CA
> > gives me the correct RR-line, ready to include in my DNS(SEC)-records.
>
> That sounds like an excellent idea.
This is I think unlikely to happen. It is easy to compute a SHA256
digest of a certificate or public key from the associated certificate.
As we've seen the main obstacle to DANE adoption is DNSSEC deployment,
not so much difficulties with DANE itself.
Once DNSSEC is more widely implemented, publishing of TLSA RRs will
not be held back for lack of knowledge of what to publish or tools
to compute the digests. One simple example:
#! /bin/sh
usage() {
echo "usage: $0 base-domain certificate-file" >&2
exit 1
}
getopts :h opt && usage
[ $# -eq 2] || usage
base=$1
cert=$2
openssl x509 -in "$cert" -noout -pubkey |
openssl pkey -pubin -outform DER |
openssl dgst -sha256 |
awk -v base="$base" '{printf "%s IN TLSA 3 1 1 %s\n", base, $2}'
Tools for doing this should be included with server software.
Some people will likely be trusting enough to have some stranger's
web page compute the TLSA RR for them. (This covers the CA case,
as end-users of certificates often receive these via email, in
which the sender is weakly authenticated if at all).
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
