On 03/13/2015 08:23 PM, Antony Prince wrote:
I am very interested in seeing these proposals become official standards.
The fact that they are called “proposed standards” does not really mean anything. Many widely deployed and successful IETF protocols are still officially considered “proposed standard” and not “Internet standard”, that does not make them less official.
DNSSEC and DANE are as much “official standards” as, for example, OpenPGP (RFC 4880) and the X.509 PKI system (RFC 5280).
I'm also interested on anyone else's thoughts who might have more insight into the downsides or repercussions of relying strictly on such a system (if external CA's no longer existed, for example).
I don’t have any more insight, but I’d say that the main downside of both DNSSEC and DANE is that almost no TLS client implements them…
As far as I know, most if not all of the DNS resolvers immediately available on a client system don’t perform DNSSEC validation.
Even if we assume that the system DNS resolver is DNSSEC-capable, I don’t know of any browser (or any other kind of TLS client software) that care about DNSSEC and/or TLSA records. For Firefox, you have to install a third-party extension [1], and for Chrome, support of DANE is not on Google’s agenda [2] (they prefer to rely on Certificate Transparency [3] instead, which in my opinion does not solve any of the main problems of the PKIX system, but this is another subject).
I am, too, very interested in DANE, and in fact I have great hopes in it (all my TLS servers have TLSA records, and my browser can check them). But we are very far from the point where nobody would need to rely on “trusted” external CAs.
[1] https://www.dnssec-validator.cz/ [2] https://www.imperialviolet.org/2015/01/17/notdane.html [3] http://www.certificate-transparency.org/what-is-ct
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users