I've just read draft-york-dane-deployment-observations-00 and I would like to add two things to the list in section 2, "Observations", list of reasons why people don't deploy DANE. These additions come from my experience trying to promote the use of DANE.
The first one is that some people distrust the domain name industry and feel that it is not safe to exchange the CA for the domain name actors (some of them having bad reputations like G... D...). Now, we all know it is more complicated than that (usages PKIX-* do not required that you drop the CA system, but on the other hand, some people fear that, if DANE is in the browser, the registrar, registry or the DNS hoster may be able to divert your users to a false site, something they could not do before). I don't say that I follow this reasoning but I've heard it several times so it could be documented. The second one is the lack of monitoring solutions. DANE brings some new risks of discrepancies (people renewing the certificate and forgetting to update the TLSA record for the *-EE usages...) since the people who manage the certs may not be the same who manage the DNS. We really need Nagios plugins to monitor DANE sites. Unlike the first reason given above, I strongly buy this one. _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
