On May 30, 2013, at 10:55 AM, Ben Laurie <[email protected]> wrote: > On 30 May 2013 15:53, Olaf Kolkman <[email protected]> wrote: >> >> On May 30, 2013, at 4:39 PM, Ben Laurie <[email protected]> wrote: >> >> On 30 May 2013 15:37, Warren Kumari <[email protected]> wrote: >> >> As an example, the Diginotar incident. If a site has a DV (or whatever other >> cert) and were using DANE, the attacker (who we assume has on the wire MITM >> capabilities) would not be able to actually *use* the cert. >> >> >> You are imagining a future in which browsers suddenly decide that >> out-of-band checking is acceptable, which seems unlikely to actually >> occur other than in fantasy.
Yes, I am, but 'tis a very pretty fantasy, filled with unicorns, rainbows, kittens and a Bloodhound (http://www.dnssec-tools.org/download/#gotoBloodhound). Obviously this is a niche browser, but... Damn kids, git off of my fantasy... >> >> Why? > > Because: > > a) It introduces latency, and Yes, this is true. One option (less than ideal, but still better than nothing) would be for the DANE lookup / processing to be done in parallel with the normal A record, but not block the page. If, after the page is rendered / displayed it turns out that DANE says that something is wrong, the page could be replaced with the big, red, scary thing. Yes, by then it is possibly too late (you have already shipped cookies, etc to the attacker), but better than blithely thinking you are in the right place. "Always do DANE" could also be an option that folk could decide to turn on, if they are more paranoid than the average user. Some folk might prefer a latency hit for the added peace of mind. It could also be that DANE is triggered only for "self signed" / other places where the "There is something odd here" bit happens. Would allow for some of the benefits, and (IMO) not that large a latency hit, as reading the "We couldn't validate this cert, what do you ant to do?!" bit takes some time anyway… But yes, I get the issue. W > b) It isn't reliable, so cannot be hard-fail. > -- Curse the dark, or light a match. You decide, it's your dark. -- Valdis Kletnieks _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
