On Mon, Jun 03, 2013 at 10:16:14AM +0100, Ben Laurie wrote: > > On 30 maj 2013, at 16:55, Ben Laurie <[email protected]> wrote: > > > >> a) It introduces latency, and > > > > so does checking revocation lists and OCSP. > > Which is why they're default off.
As does also e.g. SPNEGO, which browser users can and often do enable for specified domains since this supports SSO via Kerberos. So there is a number of precendends for default-off security mechanisms. I think that DANE deserves a chance, and ideally what we should be discussing is "when" not "whether". There is a bit of a chicken/egg issue with DNSSEC, it takes some effort to deploy, and this effort needs to have benefits to encourage more deployment. DANE could be one of the motivating factors driving DNSSEC adoption, but without browser support the impetus is reduced. > >> b) It isn't reliable, so cannot be hard-fail. > > > > I'm a bit disappointed that browsers vendors are not willing to implement > > new protocols, like DANE, just because there exists clients out there that > > cannot reliable use them. I'm not saying we should enable these features by > > default, but to be able to test them and learn more we need them in > > something that is not an experimental build. > > I don't have any particular view on whether browsers should or should > not implement protocols that don't work reliably, but my goal is to > accept reality and implement something that _is_ reliable (i.e. > Certificate Transparency). In what context is the normative languate below ( https://tools.ietf.org/html/draft-laurie-pki-sunlight-12#section-3 ) intended to apply? TLS servers MUST present an SCT from one or more logs to the TLS client together with the certificate. TLS clients MUST reject certificates that do not have a valid SCT for the end-entity certificate. Must private-label internal-only corporate CAs implement this standard? Does this apply only to certificates that chain to designated roots? Are legacy clients that don't implement the new standard no longer allowed to connect to servers? The above requirement seems rather bold without some constraints on its scope. -- Viktor. _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
