> On Oct 2, 2014, at 9:15 AM, Viktor Dukhovni <[email protected]> wrote: > > On Wed, Oct 01, 2014 at 09:37:08AM -0700, William Stouder-Studenmund wrote: > >> Making a case for DANE means making a case for DNSSEC. > > Yes. > >> I get that DANE can detect a large class of MITM attacks. > > No, DANE can public associations between service end-points and > public key material. Protecting against MITM attacks is a matter > for the protocols that use that key material. DNSSEC hardens the > lookups of that key material against MITM attacks. > >> Saying that >> isn't as convincing as handing over a list of, "DANE is designed to stop >> this, DANE would have stopped that one," and so on. > > DANE can enable opportunistic security protocol designs that are > capable of resisting MITM attacks. This is in use with SMTP and > XMPP.
Thank you! These are the things I was hoping to hear. > DANE for the web is some time away. None of the browsers are > planning DANE support at this time. My hope is that at some point > in the future the new "h2" URI scheme will support opportunistic > DANE TLS, rather than just opportunistic unauthenticated encryption. > > DANE replacing public CAs with "https" seems unlikely so long as > there is perceived value in "EV" certificates. Take care, Bill _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
