On Fri, Feb 12, 2016 at 07:51:21AM -0500, Phillip Hallam-Baker wrote:
> The industry now has or at least it thinks it has two answers to the
> problems DANE addresses. They are using HTTP key pinning as their
> security policy layer and are looking at Lets Encrypt for free certs.
>
> If you want to achieve the original objectives of this working group
> and get them deployed, then work within the framework that the parties
> whose buy-in you need for deployment have already established.
It seems to me that the most significant obstacle to using
DNSSEC-assisted key pinning in browsers is not the RRdata format
(TLSA or HPKP text), but rather the DNSSEC last-mile problem, which
means browsers often can't get DNSSEC validated records of any
kind.
Hence revived efforts to transport DNS data inside the TLS handshake
between HTTP server and client.
Given that the DNSSEC approach has more solid mechanisms for ensuring
freshness, and that DANE also supports pinning of trust-anchors,
not just EE keys, there is little to recommend HPKP once DNSSEC is
available.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
