On Sat, May 25, 2013 at 02:42:14PM +0000, Viktor Dukhovni wrote: > On Sat, May 25, 2013 at 08:30:52PM +1000, oneofthem wrote: > > > 1. Is DANE finished? Ready to go, rock and roll? > > The TLSA RR has been standardized. What remains to do is to define > how TLSA records are to be used in various application protocols. > > For application protocols that use SRV records there is a draft in progress. > There is another draft for SMTP based on the SRV draft since MX records > are similar to SRV records. > > I have proposed two recent drafts (see the list archives) that address in > more detail how applications that can't use the existing public CA PKI > should interact with DANE (in particular SMTP) and also some implications > for various corner cases. > > I have also proposed that applications "follow CNAMEs" to derive > the base domain for TLSA records. It remains to be seen whether > this will gain any traction. > > OpenSSL does not yet provide ready-to-use DANE verification code, > so applications based on OpenSSL have to roll their own. This will > change at some point, though I hope in not too soon, since the > required changes are invasive, and need some time for the design > and implementation to be validated. > > > 2. Is it possible for DANE to replace the CA system currently in place? > > For server domains that have deployed DNSSEC, and applications > where clients have DNSSEC validating caching resolvers (or have > chosen to embed DNSSEC capable stub-resolvers directly in application > code) it is possible to bypass the existing public CA PKI. > > Just publish TLSA records with usage "3" or perhaps "2", and with > usage "2" make sure to include the TA cert in the server's TLS > handshake certificate chain. > > -- > Viktor. > _______________________________________________ > dane mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dane
Thank you for your in depth response! _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
