On Sat, May 25, 2013 at 08:30:52PM +1000, oneofthem wrote:
> 1. Is DANE finished? Ready to go, rock and roll?
The TLSA RR has been standardized. What remains to do is to define
how TLSA records are to be used in various application protocols.
For application protocols that use SRV records there is a draft in progress.
There is another draft for SMTP based on the SRV draft since MX records
are similar to SRV records.
I have proposed two recent drafts (see the list archives) that address in
more detail how applications that can't use the existing public CA PKI
should interact with DANE (in particular SMTP) and also some implications
for various corner cases.
I have also proposed that applications "follow CNAMEs" to derive
the base domain for TLSA records. It remains to be seen whether
this will gain any traction.
OpenSSL does not yet provide ready-to-use DANE verification code,
so applications based on OpenSSL have to roll their own. This will
change at some point, though I hope in not too soon, since the
required changes are invasive, and need some time for the design
and implementation to be validated.
> 2. Is it possible for DANE to replace the CA system currently in place?
For server domains that have deployed DNSSEC, and applications
where clients have DNSSEC validating caching resolvers (or have
chosen to embed DNSSEC capable stub-resolvers directly in application
code) it is possible to bypass the existing public CA PKI.
Just publish TLSA records with usage "3" or perhaps "2", and with
usage "2" make sure to include the TA cert in the server's TLS
handshake certificate chain.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
