On Fri, Feb 12, 2016 at 8:42 PM, Viktor Dukhovni <[email protected]> wrote: > On Fri, Feb 12, 2016 at 07:51:21AM -0500, Phillip Hallam-Baker wrote: > >> The industry now has or at least it thinks it has two answers to the >> problems DANE addresses. They are using HTTP key pinning as their >> security policy layer and are looking at Lets Encrypt for free certs. >> >> If you want to achieve the original objectives of this working group >> and get them deployed, then work within the framework that the parties >> whose buy-in you need for deployment have already established. > > It seems to me that the most significant obstacle to using > DNSSEC-assisted key pinning in browsers is not the RRdata format > (TLSA or HPKP text), but rather the DNSSEC last-mile problem, which > means browsers often can't get DNSSEC validated records of any > kind.
Yes, hence I submitted a proposal to address that issue before DANE chartered. The other problem is that in DANE DNSSEC is a MUST. Which was a problem when every single one of my browser contacts refused to consider at present. My goal was to upsell my DV customers to DNSSEC. That can't happen if it is a MUST. > Hence revived efforts to transport DNS data inside the TLS handshake > between HTTP server and client. But the folk pursuing that effort refuse to consider the fact that the browser engineers are pushed to minimize latency as first priority. So now deployment of DPRIV is effectively gated on TCP Fast start. > Given that the DNSSEC approach has more solid mechanisms for ensuring > freshness, and that DANE also supports pinning of trust-anchors, > not just EE keys, there is little to recommend HPKP once DNSSEC is > available. Except for the fact that it is already deployed and has a comprehensive support base. HPKP in a DNS RR offers exactly the same functionality without the deployment hassles. Why do you expect the internet to bend to the will of a dozen people who don't listen? _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
