On Sat, Dec 14, 2013 at 08:31:10AM -0500, John wrote:
DANE TLSA records allow sites to independently create leaf and CA
certificates after first registering their DNSSEC key-signing-keys
with their DNS registrar. So in effect you do have a CA, but it
is your DNS registrar and they effectively make you a sub-CA for
your own domain.
Thanks I got some of the above. However I got DANE wrong.
Does this do anything to solve "Man in the middle" who presents an
apparently valid cert (usually generated on the fly)?
Any authenticated TLS ciphersuite does that. The challenge is
always key management. The public certificate authority PKI (
Verisign, Comodo, and the other couple of hundred CAs in the browser
bundles) is somewhat succesful in authenticating HTTPS, and largely
inapplicable to SMTP.
DANE provides a more scalable key management model. Each domain
signs its own server certificates either by directly publishing
their public key digests via DNSSEC, or by using its own issuing
CA to sign certificates for multiple services, and publishing just
the public key digest of the CA. [ See example below my signature. ]
Because I thought the only way to detect this was to compare the
finger print of the key presented with the know finger print.
With DANE, the "known finger print" is found in DNSSEC.
Just a thought, maybe there is a more appropriate forum/mail list to
discuss this on, as this is not strictly Postfix related?
It is fine to ask here, Postfix is the first real application to
support DANE TLSA.
Thanks for the example I will run it against my own domains. That and
head over to the sites suggested by Wietse Venema.
JohnA
