On Fri, Feb 12, 2016 at 11:13:34PM -0500, Phillip Hallam-Baker wrote:
> HPKP in a DNS RR offers exactly the same functionality without the
> deployment hassles. Why do you expect the internet to bend to the will
> of a dozen people who don't listen?
Again this is quite orthogonal to the payload format, you're arguing
for using DNS key pinning without DNSSEC (similar to DKIM). That
makes the lookup vulnerable to active attacks, so we're back to
TOFU and cache lifetimes longer than the DNS TTL, ...
There a lot less reason left to using DNS by the time that happens,
except for the hope of the upselling you mention, where perhaps
some folks start publishing the same records in signed zones, and
clients start checking the signatures.
Yes, I understand that DNSSEC is at present and may indefinitely
remain too high a bar. In which case DANE fails. However key
pinning via insecure DNS is not really DANE, it is just an alternate
transport for some application data via a typically untrusted cache.
It may be more efficient than a roundrip to the HTTP server, but
that's all.
So I don't think there was is any need for a DANE working-group to
propose and standardize such things. The DANE working-group is
trying something more ambitious, that may fail, but is likely worth
a try.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
