SUGI, i think you do not know that/future for sure. Neither do i.
Your assessment is wrong, below is why... Most likely, bit more knowledgeable & active person(s) will be required, for to handle and configure DNSSEC/DANE, so such people will be hired by companies, AND/or new services will be provided by existing and new cert vendors, for those persons/users, who are not able to do those DNSSEC/DANE configuration, maintenance by them-seleves. So now try to think, how many companies are out there in the world, who will need to provide DNSSEC/DANE authenticated/verified data & connection to their clients, visitors, users ? people would obviously like DNSSEC authenticated & secured connection & data, over who are not using that, right ? Just the way most people like HTTPS connection, over HTTP connection. That must be & obviously much much more users, companies, etc all around the world THAN few hundreds(or thousands) of employees in current cert vendors. And please don't forget, current cert vendor, will start new services for providing & maintaining DNSSEC/DANE related DNS records, for those who are not able to do by them-selves. And also please do not forget, many many DNS experts will also get jobs in various companies all around the world. And do not forget, the existing employees who will get extra income for the extra work. -- Bright Star. Received from koichi sugimoto,, on 2013-01-21 1:11 PM: > I'm afraid that implementing DANE cause new certification vendor > not to come into the market. > > - SUGI > > 2013/1/10 Bry8 Star <bry8s...@yahoo.com> > >> It would be great to see/know what can be used to enable DANE >> support in OpenSSL. >> >> Those who are interested in bit more info on >> >> DANE (and related) : >> >> https://datatracker.ietf.org/wg/dane/ >> >> https://datatracker.ietf.org/doc/draft-ietf-dane-protocol/ >> >> >> http://www.internetsociety.org/articles/dane-taking-tls-authentication-next-level-using-dnssec >> >> >> http://www.internetsociety.org/deploy360/resources/dane/ >> >> https://www.dnssec-deployment.org/wiki/index.php/Tools_and_Resources >> >> >> http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions#Tools >> >> https://wiki.mozilla.org/Security/DNSSEC-TLS-details >> >> https://addons.mozilla.org/en-us/firefox/addon/extended-dnssec-validator/ >> >> >> >> http://www.internetsociety.org/deploy360/blog/2013/01/verisign-labs-dane-demonstration-page-and-test-sites/ >> >> >> https://www.gnu.org/software/gnutls/manual/html_node/Certificate-verification.html#DANE-verification >> >> >> http://www.isc.org/software/bind/dnssec >> >> >> http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_15-1/151_dane.html >> >> >> https://github.com/pieterlexis/swede >> >> Thanks, -- Bright Star. >> >> >> >> Jakob Bohm, received on 2013-01-09 3:25 PM: >>> On 1/9/2013 2:46 PM, Bry8 Star wrote: >>>> (reposting this on users list) Hi, When can we expect an >>>> OpenSSL release, that will support DANE protocol to verify >>>> SSL/TLS certificates (which are added/kept in the DNS RR) >>>> using DNSSEC protocols ? >>>> >>> >>> Is there an RFC for DANE, or is it still an experimental or >>> project- specific protocol. >>> >>> Since OpenSSL is mostly a library, the normal/expected way >>> would be for OpenSSL to pass back to the OpenSSL-using >>> application with a certificate that needs >>> locating/verification by external means. >>> >>> This application callback can then implement any needed >>> mechanisms, such as ldap lookups over SSL, http(s) >>> downloads, lookup in a database or querying using a DNSSEC >>> supporting DNS resolver library or simply prompting the user >>> to accept a certificate. Each of those mechanisms can of >>> cause itself use OpenSSL for its cryptographic security. >>> >>> Others on this list may be able to point you to precisely >>> which existing OpenSSL mechanisms can do the trick. >>> >>> Enjoy >>> >>> Jakob >> >> >
signature.asc
Description: OpenPGP digital signature
