Unjust certificates can be bought for 150,- $ in the darknet which makes TLS
snake-oil. And you never know if the internet provider is hostile or hacked.
So we should act in the favor of end-users. If we don't have the position to
make DANE mandatory, yet, we should at least try to encourage browser vendors
to support DANE. Just think about all the online-banking websites without
DNSSEC/DANE protection.
Am 15.10.18 um 22:49 schrieb Viktor Dukhovni:
Though I am generally an advocate for DANE, and have done much work to
further its adoption, this is not a realistic proposal. DANE adoption
in TLS will be incremental and will not be accomplished via a mandate.
On Oct 15, 2018, at 4:20 PM, Rene 'Renne' Bartsch, B.Sc. Informatics
<ietf=40bartschnet...@dmarc.ietf.org> wrote:
TLS is prone to Man-In-The-Middle attacks with unjustly obtained intermediate
certificates (e.g. firewall appliances).
The DNSSEC KSK-rollover worked like a charm.
So I suggest to make DANE-TLS mandatory for TLS to prevent Man-In-The-Middle
attacks with unjustly obtained intermediate certificates.
If you want to see more DANE deployment, work on tooling to ease
DNSSEC deployment, convince registries to support CDS and CDS0,
simplify zone signing and key rollover interfaces in nameserver
implementations, develop monitoring tools, ... Get efforts to
improve the tools funded, ...
There is much work to be done, before we can expect ubiquitous
DNSSEC support, let alone DANE. DNSSEC deployment is concentrated
at domains hosted by providers who have invested in automating it.
To bring it to the masses, it must be something that works out of
the box.
Until then it should be possible to use DNSSEC and DANE with TLS,
but we're quite far from being in a position to mandate their use.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
