On 13/12/2013 3:50 PM, Viktor Dukhovni wrote:
On Fri, Dec 13, 2013 at 03:11:38PM -0500, John Allen wrote:
Does anybody know of a good,but simple write up on DANE and TLSA.
It has to be simple enough for me to understand (assume idiot).
An explanation of what DANE TLSA is for[*]?
Or how to set up a Postfix to work with it?
If the latter, setting up a client to verify DANE TLSA?
http://www.postfix.org/TLS_README.html#client_tls_dane
Or setting up server to be verifiable with DANE TLSA?
There is some text on this in TLS_README in the server certificate
section, but we could perhaps add a DANE_README at some point
or expand the server text if it is not sufficiently detailed.
The main difficulty with server-side DANE is that your zone
must be DNSSEC signed. Deployment of DNSSEC is still fairly thin.
With a bit of luck DANE might motivate folks to consider DNSSEC.
My interest in TLSA was sparked by my looking for info when setting up
my DNS with DNSSEC (still a work in progress). It seemed to provide a
better level of security than the current standard practice. If I have
understood what I have read TLSA appears to be a mechanism for
publishing security certs is a secure manner.
My interest in TLSA lead me to DANE, I am not sure that I fully
understand DANE or TLSA, however my understanding is, that DANE is a
high(er) level TLS encryption standard.
JohnA
