On Wed, Oct 01, 2014 at 09:37:08AM -0700, William Stouder-Studenmund wrote:
> Making a case for DANE means making a case for DNSSEC.
Yes.
> I get that DANE can detect a large class of MITM attacks.
No, DANE can public associations between service end-points and
public key material. Protecting against MITM attacks is a matter
for the protocols that use that key material. DNSSEC hardens the
lookups of that key material against MITM attacks.
> Saying that
> isn't as convincing as handing over a list of, "DANE is designed to stop
> this, DANE would have stopped that one," and so on.
DANE can enable opportunistic security protocol designs that are
capable of resisting MITM attacks. This is in use with SMTP and
XMPP.
DANE for the web is some time away. None of the browsers are
planning DANE support at this time. My hope is that at some point
in the future the new "h2" URI scheme will support opportunistic
DANE TLS, rather than just opportunistic unauthenticated encryption.
DANE replacing public CAs with "https" seems unlikely so long as
there is perceived value in "EV" certificates.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
