On Wed, May 29, 2013 at 06:22:32PM +0000, Christian Heutger wrote:
> >> Since, domain-owner/holder has publicly declared what exact cert
> >> he/she/they trusts using TLSA "2 s m" or "3 s m" based dns rr, then
> >> why web-browser will ask question/prompt visitor/user ? !
> >
> >They should not, and I expect will not, once they support DANE.
>
> Finally DANE can replace the so called domain validation certificates as
> how ever a domain control may be proofed when by a certificate stored in
> the DNS.
We should not debate the merits and demerits of various PKI models
here. The OP's question was about browser behaviour, and my comment
on the existing public CA PKI was mostly irrelevant personal opinion,
intended to justify the expectation that browsers will not only
support certificate usage 0/1 to the exclusion of 2/3.
Since browsers accept DV certs today, they most likely will also
support DANE validated certs when they implement DANE. I would
expect Mozilla, Chrome, IE, ... to eventually include native
reasonably well designed DANE implementations without the need for
third-party plugins. It is important that this happens, so if any
of you can influence browser vendors in that direction, do it!
[ Additional security beyond DV might be gained in the context of
DANE via new TLDs where membership policies provide appropriate
assurance against brand confusion. Let's not get distracted by
this issue, it is largely off topic. ]
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
