Though I am generally an advocate for DANE, and have done much work to
further its adoption, this is not a realistic proposal. DANE adoption
in TLS will be incremental and will not be accomplished via a mandate.
> On Oct 15, 2018, at 4:20 PM, Rene 'Renne' Bartsch, B.Sc. Informatics
> <ietf=40bartschnet...@dmarc.ietf.org> wrote:
>
> TLS is prone to Man-In-The-Middle attacks with unjustly obtained intermediate
> certificates (e.g. firewall appliances).
> The DNSSEC KSK-rollover worked like a charm.
>
> So I suggest to make DANE-TLS mandatory for TLS to prevent Man-In-The-Middle
> attacks with unjustly obtained intermediate certificates.
If you want to see more DANE deployment, work on tooling to ease
DNSSEC deployment, convince registries to support CDS and CDS0,
simplify zone signing and key rollover interfaces in nameserver
implementations, develop monitoring tools, ... Get efforts to
improve the tools funded, ...
There is much work to be done, before we can expect ubiquitous
DNSSEC support, let alone DANE. DNSSEC deployment is concentrated
at domains hosted by providers who have invested in automating it.
To bring it to the masses, it must be something that works out of
the box.
Until then it should be possible to use DNSSEC and DANE with TLS,
but we're quite far from being in a position to mandate their use.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
