-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 3/13/2015 6:31 PM, Damien Goutte-Gattat wrote: > The fact that they are called “proposed standards” does not really mean > anything. Many widely deployed and successful IETF protocols are still > officially considered “proposed standard” and not “Internet standard”, > that does not make them less official.
I know what you mean. They were proposed years ago and still maintain the "proposed" status. > I don’t have any more insight, but I’d say that the main downside of > both DNSSEC and DANE is that almost no TLS client implements them… > > As far as I know, most if not all of the DNS resolvers immediately > available on a client system don’t perform DNSSEC validation. I use BIND(named) as my DNS server and it is DNSSEC capable as well as DLV-Lookaside capable. Google's public DNS server are also capable of both as well since I used them a lot for DNS record timeout testing among other things. > Even if we assume that the system DNS resolver is DNSSEC-capable, I > don’t know of any browser (or any other kind of TLS client software) > that care about DNSSEC and/or TLSA records. For Firefox, you have to > install a third-party extension [1], and for Chrome, support of DANE is > not on Google’s agenda [2] (they prefer to rely on Certificate > Transparency [3] instead, which in my opinion does not solve any of the > main problems of the PKIX system, but this is another subject). I have the Firefox extension myself and refuse to use Chrome since, IMO, its nothing more than a bloated version of the Gecko engine which does a lot of useless crap I'm not interested in. Your mileage may vary. LOL. But that is another problem with its adoption as a standard is that most (if not all) mainstream browsers don't support it natively. > I am, too, very interested in DANE, and in fact I have great hopes in it > (all my TLS servers have TLSA records, and my browser can check them). > But we are very far from the point where nobody would need to rely on > “trusted” external CAs. This I think is the main problem. It's adoption has not become mainstream. I'm of the conspiracy theory opinion that its the CA's who are making sure it stays in the background because otherwise they could potentially lose their entire market if everyone realized they didn't need a CA to properly and securely validate their certificates. (Pure personal opinion here, no facts to back it up). My domain is secured via DNSSEC and all my certificates have TLSA records to back them up. I'm no professional at server administration, so if I can do it, anyone can. Its disheartening to see something so promising pushed to the side for so long when it could be a major benefit as far as internet security is concerned. Thanks for your reply BTW. :) - -- Antony Prince Key ID: 0x4F040744 Fingerprint: FE96 5B7F A708 18D3 B74B 959F A6E1 6242 4F04 0744 URL: https://hkps.pool.sks-keyservers.net/pks/lookup?op=get&search=0xA6E162424F040744 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJVA47MAAoJEKbhYkJPBAdEpi0IALJwjhR0uILmFH2cFLADVEvv jc5/+kwchlkWbIOifLvuqgb7t8DEgVib5rlLBHu72iCIPcLw/1ACJs1xhxhqCSUA xsu7GXXKhA0F6hiev80LhUzVEI/O4Rd71akH6j8sTnUmuFBb1vXqINCn7q1O/O6i Bo2kNZyiR0hMk29S88hb78utmnOLs5eaFyX0hVCpZNc8oOv2EquHE4i3/a2d52/K Ij5BYCV5ZlK/epTHuzYAlKSUWaB1f8VcY1MjgHGsZ298lnR1d54UtPiyEtYuPRLR TrBx+GNhbziFGHFDOo8i4uAwio4ydG1VfdgbZazbxt2pf+Bgj3rvpzPE8iKtozk= =YDqt -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
