On 2015-10-29 13:51, Alain Wolf wrote: > > > On 29.10.2015 at 03:29, Kim Alvefur wrote: >> On 2015-10-28 22:32, Daniel Pocock wrote: >>> We are just reviewing the final configuration before announcing >>> debian.org XMPP >> >> Nice! >> >>> Can anybody comment on DANE / TLSA? Should we only talk to servers >>> supporting this? >> >> I'm all for encouraging DANE deployment, but it might be a bit early to >> only talk to DANE-enabled servers. By which I mean having a cert not >> signed by a commonly trusted CA and only relying on DNSSEC for >> validation of other servers certificates, not even doing Dialback. I >> know of a total of 4 servers (including my own) that you could talk to then. >> >> But there is actually quite a number of DNSSEC-signed domains with TLSA >> records published out there, judging by the ones that have been >> submitted to xmpp.net for testing (since the disk crash). So only >> talking to hosts with valid and matching TLSA records would not be too >> crazy. >> >> https://xmpp.net/reports.php#dnssecsrv >> https://xmpp.net/reports.php#dnssecdane > > For the lazy ... > > 3,033 Total Test Results (100%) > 557 DNSSEC signed SRV records (18%) > 217 DNSSEC signed DANE records (7%)
Worth comparing with PKIX based trust:
Trusted Untrusted
--------- --------- --------- ----------- ---------
Valid 1738 (55.1%) 603 (19.1%)
Invalid 212 (6.7%) 600 (19%)
https://xmpp.net/reports.php#trust
(Total increased to 3041)
--
Kim "Zash" Alvefur
signature.asc
Description: OpenPGP digital signature
