I remain skeptical of DANE on the server side. Seems to me that ACME and LetsEncrypt have closed the door there. However, I suddenly realised there is an opportunity on the client side.
I could do this with a TXT record and might still go that way. But here is the concept. * Blue Sky has 35 million people using DNS Handles. Mine is @ phill.hallambaker.com. These are becoming useful for many things and there are people popping up to specialize in offering DNS handles and related services. * Most Web sites do not need high assurance authentication. Yes, my broker really needs to know it is me and they don't leave that to IETF and W3C. Washington Post on the other hand needs something less error prone than passwords. * Passkeys are a failure, the developers continue to listen to real user requirements, they have squatted on this problem too damn long, time for other people to be given a chance to fix it. So what if my DNS Handle provider is running a CA just for me and my browsers. The root cert for the CA is bound to my DNS Handle via a TXT or TLSA record. Each time I config a new browser, I go through some 2FA mechanism with the CA and it plops a cert into my browser. When I visit a Web site, during the initial TLS handshake, the server says it supports 'Transparent Client Side Authentication' (TCSA). Browser does TLS client side auth presenting the cert it was issued. I am now authenticated against @phill.hallambaker.com. The cryptographic security is going to be top notch of course, the trustworthiness of the cert depends on context. If I am logging into WaPo to read the news, a bare anchor without DNSSEC is going to be sufficient. But we can add DNSSEC and the CA might offer additional validation like only issuing certs to registered doctors. This is not a complete solution for classified documents in government applications but I can see it as a useful additional building block. OK, yes, privacy. My view is very different. I am not trying to isolate all my web experiences from each other and I would fail even if I tried, there are just too many ways to link profiles. Not least the fact that I AM USING THE SAME IP ADDRESS. I can't see a way to effectively maintain a hundred different personas across the Web and keep them all isolated (I have over 350 passwords in my password manager). Six personas, is another matter. Keeping them separate with a bit of browser support, yes. This approach does need some changes to the browser but they are modest changes. I might even be able to implement them in my own browser PHB at some point. All it takes is an API that exposes the necessary hooks.
_______________________________________________ dane mailing list -- [email protected] To unsubscribe send an email to [email protected]
