On Wed, Apr 8, 2015 at 3:35 PM, Ryan Sleevi <[email protected]> wrote: > On Wed, April 8, 2015 3:00 pm, Phillip Hallam-Baker wrote: >> http://tools.ietf.org/html/draft-hallambaker-webseccaa-00 >> >> It is a pretty straightforward proposal.
> I believe it was so obvious that the IETF has already beat you to the > punch - RFC 6698. > > In either event, I see no reason to standardize Yet Another Way to do the > same thing. I do. Not all Ways to Do The Same Thing are equal in practice, even if they're equal in theory. DANE is complicated and has a completely different syntax. It is a 37 page long. Philip's proposal is 6 pages long. There is probably more to be added but that is still telling. If a busy site admin asks "how can I close the trust-on-first-use hole for my site?" Would we rather reply with: 1) Copy your HSTS and HPKP headers into a DNS record or 2) Go read up on how DANE works, come up with a DANE policy that's compatible with your HSTS/HPKP preferences (which may not be precisely possible), and keep the two policies compatible as they evolve. Perhaps DANE offers sufficiently extra expressive power for some super-energetic admins will prefer approach 2, but I think 9 of 10 developers (at least) would rather only have to learn and manage one syntax. My recent research on HSTS and HPKP deployment in practice has convinced me that much more attention needs to be paid to making developer's lives easier. _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
