Am 2014-10-02 14:09, schrieb Dan York:
It seems we may not be seeing DANE / DNSSEC support in Google Chrome
anytime soon. This ticket was just closed as a WontFix:
https://code.google.com/p/chromium/issues/detail?id=50874#c22 [1]
As the ticket says (in part):
-----
Closing this out as WontFix, as there are no plans.
<snip>
DNSSEC and DANE (types 2/3) do not measurably raise the bar for
security compared to alternatives, and can be negative for security.
DNSSEC+DANE (types 0/1) can be accomplished via HTTP Public Key
Pinning to the same effect, and with a much more reliable and
consistent delivery mechanism.
While not desiring to stifle discussion, we've continued to evaluate
the security and usability benefits and costs of DNSSEC and DANE, and
will continue to do so, but for now, this is neither something we plan
to implement nor would support landing.
-----
Any thoughts?
Dan
It seems Google wants to become the one and only authority by
certificate pinning to control whose certificates are accepted instead
of leaving the choice to the domain owner. This also obstructs the
transition to free self-signed certificates for non-commercial domains.
In my opinion the certificate should be linked to the domain by the
domain infrastructure -> DNSSEC.
Please comment https://bugzilla.mozilla.org/show_bug.cgi?id=1077323 to
encourage Mozilla to implement DANE. This would also improve security
when downloading Firefox updates/addons.
--
Best regards,
Rene Bartsch, B. Sc. Informatics
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
