Hi, I'm new to this, but doesn't DANE improve the CA trust model instead of replacing it? If the certificate itself is placed in the DNS signed, the IP can't be spoofed, also the certificate can't be spoofed, but the advantages of a third party validating the details of the certificate requester still exist?! In addition, we have a two level trust point: the DNSSEC and the certificate issued by a third party. Meanwhile the DNSSEC signing key can be stolen, as there would be less security than at a WebTrust audited certificate authority, it then also still requires in addition to successfully attack a certificate authority or vice versa, if successfully attacking a certificate authority the DNSSEC also need to be hacked. Just using DANE will result, that it's enough to hack the DNSSEC key and as we got known of recent attacks on companies, that seems to occur more often than successfully attacking a certificate authority. The only successful attack was against DigiNotar, who reacted as the worst in the scene ever. Comodo was "just" a lack of validation through their registry authority scheme, which has been immediately shut down in its recent manner, Trustwaves Sub CA program, which also has been closed down to prevent from such future occurrence. So also the revoke scheme is much easier, as the OCSP and CRL are well established and usually asked for each encrypted site access, by just publishing new DNSSEC records it depends on the caching settings of the DNSSEC resolvers to get aware of a new public key.
Regards, Christian Von: Sandoche Balakrichenan <sandoche.balakriche...@nic.fr<mailto:sandoche.balakriche...@nic.fr>> Datum: Montag, 15. April 2013 15:08 An: "dane@ietf.org<mailto:dane@ietf.org>" <dane@ietf.org<mailto:dane@ietf.org>> Cc: Niall O'Reilly <niall.orei...@ucd.ie<mailto:niall.orei...@ucd.ie>>, Phil Regnauld <regna...@nsrc.org<mailto:regna...@nsrc.org>>, "mohsen.soui...@afnic.fr<mailto:mohsen.soui...@afnic.fr>" <mohsen.soui...@afnic.fr<mailto:mohsen.soui...@afnic.fr>> Betreff: Re: [dane] Anyone interested in writing a DANE tutorial? Hi Dan and all, Even though it took some time, here in i attach a tutorial style document which explains implementing DANE and a Proof of Concept using a browser add-on. In case, if the attached document is interesting, i am ready to maintain it with new add-ons developed for DANE. Thanks for your views and feedback. Regards, Sandoche BALAKRICHENAN On 09/26/2012 08:27 PM, Dan York wrote: On Tue, 25 Sep 2012, Warren Kumari wrote: Something that would be very helpful for getting this deployed / implemented in browsers is number of folk (and more importantly, organizations) stating that they are planning on / would do DANE if the browsers supported it natively. Of course, even more helpful would be folk actually publishing TLSA records :-P To this last point about getting more TLSA records published, would anyone be interested in writing a step-by-step tutorial for how to publish a TLSA record? Or collaborating on writing one? If we had a page that was a simple set of steps it would be something we could pass around and encourage people to consider doing. I'm thinking of something like: Existing certificate: - get a copy of your TLS certificate - generate the appropriate hash using ____ - create a DNS record that looks like "........." - publish record (including DNSSEC signing) and celebrate New certificate - generate a new TLS certificate using ____ - install certificate in your web server (perhaps assume Apache for the tutorial) - generate the appropriate hash using ____ - create a DNS record that looks like "........." - publish record (including DNSSEC signing) and celebrate Now those steps may not be complete... this is just a first thought... and given that I've never deployed a TLSA record (but would like to) I don't know the exact steps. If anyone would be interested in creating something like this, I'd be glad to publish it on our Deploy360 site (with attribution to you and a link to a site) or if you publish it on your site I'd be glad to link to it from Deploy360. Or if you'd like to collaborate with me on writing something, I'd be glad to help with it. Even if someone could sketch out the basic outline of the commands one would use for the steps above, I'd be glad to write some text narrative explaining the commands. Anyone interested? Thanks, Dan -- Dan York dy...@lodestar2.com<mailto:dy...@lodestar2.com> http://www.danyork.me/<http://www.danyork.com/> skype:danyork Phone: +1-802-735-1624 Twitter - http://twitter.com/danyork _______________________________________________ dane mailing list dane@ietf.org<mailto:dane@ietf.org>https://www.ietf.org/mailman/listinfo/dane -- This message was scanned by ESVA and is believed to be clean.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dane mailing list dane@ietf.org https://www.ietf.org/mailman/listinfo/dane
