Firefox, Chrome, etc clients need to completely support DANE usage 2 (private CA, Trust Anchor) and DANE usage 3 (End Entity, server, domain-issued) certs, obtained via local DNSSEC validation supported DNS-Resolver, or via native DNSSEC libraries. Since these clients already supports Classic PKI, ... DANE usage case 0 and 1 support not needed immediately.
I'm sure devs there, have seen RFC 6698, and related, then why are they not implementing it yet ? something still incomplete ? What is/are stopping them ? These clients should show an icon to indicate when HTTPS based site is authenticated via classic PKIX certs, and when authenticated via TLSA/DANE certs. These should have/show simple indicator icon with "S" or "T" to indicate SSL/TLS authenticated / encrypted, or, an indicator icon with "D" to indicate DANE DNSSEC authenticated / encrypted, or, an indicator icon with "T+D" or "S+D" , or, "T/D" or "S/D" to indicate both path Classic PKIX and DANE authenticated. -- Bright.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
