Hello DANE Working Group, At least one browser (Google Chrome) has experimented with DANE, but subsequently removed it "due to lack of use"[0]. There is also a Firefox plugin that will validate DANE records[1]. I submitted a draft to address this, in order to allow sites that want to use DANE the ability to explicitly state their intent and allow UAs to only expend resources on domains where DANE is requested.
http://datatracker.ietf.org/doc/draft-cem-dane-assertion/ I believe, if there is interest, that this could fit part of the problem statement of the working group charter: to "create documents that describe how protocol entities can discover and validate these bindings in the execution of specific applications"[2] Those familiar with HSTS[3] and HPKP[4] ought to find many of the directives familiar, there is however a new concept, a 'require' directive. The reason I included this directive was because the way DANE works; if you receive a certificate that is valid via PKIX and do not receive any DANE records, the connection will continue. By using the 'require' directive, the host operator forces the connection to be validated using both PKIX and DANE or solely by using DANE every time. I have also written up some additional thoughts on the subject here: [5] Carl Mehner [0] https://www.imperialviolet.org/2011/06/16/dnssecchrome.html [1] https://www.dnssec-validator.cz [2] https://datatracker.ietf.org/wg/dane/charter [3] https://tools.ietf.org/html/rfc6797 [4] https://tools.ietf.org/html/draft-ietf-websec-key-pinning [5] https://www.cem.me/20141203-hdva.html
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
