Russell Aspinwall: > Hi, > > Given that Mozilla Firefox is working to add DNSSEC/DANE certificate chain > Bug 672600 which depends on Bug 1351684 - contemporary security indicators > (padlock overhaul) which depends on Bug 1379247 - hide https:// but show > http:// when browser.urlbar.trimURLs=true > > Could assistance be given to the Mozilla Firefox to get the DNSSEC/DANE > working as standard functionality given the expertise already gained from the > development of the plugin?
DANE stapling isn't a substitute for actual DANE. DANE stapling is primarily only useful for positive overrides (making certs that are invalid according to the CA system appear valid). It's mostly useless for negative overrides because a malicious server can choose not to send the stapled DANE data. Actual DANE (i.e. retrieving DANE records over DNS) is useful for both positive and negative overrides. Given that Mozilla is refusing to implement actual DANE (see https://bugzilla.mozilla.org/show_bug.cgi?id=1201841#c9 ), a DANE Firefox extension is still highly useful. Also, I don't think DANE stapling is useful for Namecoin-like use cases (where the DNSSEC trust root is unique per user, and the server doesn't know the DNSSEC trust root), whereas actual DANE works fine for Namecoin. Cheers, -- -Jeremy Rand Lead Application Engineer at Namecoin Mobile email: [email protected] Mobile OpenPGP: 2158 0643 C13B B40F B0FD 5854 B007 A32D AB44 3D9C Send non-security-critical things to my Mobile with OpenPGP. Please don't send me unencrypted messages. My business email [email protected] is having technical issues at the moment.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dnssec-validator-users mailing list [email protected] https://lists.nic.cz/cgi-bin/mailman/listinfo/dnssec-validator-users
