> From: Lutz Donnerhacke <[email protected]> > But the errornous transfer of ebay.de would create a deasaster with DANE.
In what way would DANE make the theft of a domain worse? Without DANE, the new possessor of a domain need only get SMTP working, create a new cert, apply for signature for a new cert, answer the email from the CA verifying ownership of the domain, and start using that new cert on new HTTP servers with improved web pages. With DANE, only a few things differ. One difference is that the new cert can be used as soon as DNS TTLs allow without waiting to answer ownership-verifying email from the CA. The second difference is that before and after the transfer, browser users can be more confident that the web pages they see are unchanged between HTTP server and HTTP client. In no case can you be sure that ebay.de is what you assume it is without some sort of out-of-band exchange of keys and secrets between you and ebay.de. Paying a CA $500 cannot buy more than $500 worth of identity checking and authentication, and that cannot penetrate more than $500 worth of smoke, mirrors, forged business licenses, etc. $500 is plenty for a hobby domain but ridiculous for an eBay. (Never mind the free CAs.) Commercial PKI verifications of the identities of strangers have always been frauds and snake oil sold to punters. That commercial PKI fees have always been too small to allow honest identity checks even for organizations more famous than Ebay was proven more than 10 years ago. https://www.cert.org/advisories/CA-2001-04.html http://technet.microsoft.com/en-us/security/advisory/2524375 Vernon Schryver [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
