Can you provide a citation for that statement? Not doubting you, particularly, but this is news to me, and probably to some others on this list, if true.
On Tue, Oct 16, 2018 at 4:01 PM Rene 'Renne' Bartsch, B.Sc. Informatics <ietf=40bartschnet...@dmarc.ietf.org> wrote: > Unjust certificates can be bought for 150,- $ in the darknet which makes > TLS snake-oil. And you never know if the internet provider is hostile or > hacked. > So we should act in the favor of end-users. If we don't have the position > to make DANE mandatory, yet, we should at least try to encourage browser > vendors > to support DANE. Just think about all the online-banking websites without > DNSSEC/DANE protection. > > > Am 15.10.18 um 22:49 schrieb Viktor Dukhovni: > > Though I am generally an advocate for DANE, and have done much work to > > further its adoption, this is not a realistic proposal. DANE adoption > > in TLS will be incremental and will not be accomplished via a mandate. > > > >> On Oct 15, 2018, at 4:20 PM, Rene 'Renne' Bartsch, B.Sc. Informatics > <ietf=40bartschnet...@dmarc.ietf.org> wrote: > >> > >> TLS is prone to Man-In-The-Middle attacks with unjustly obtained > intermediate certificates (e.g. firewall appliances). > >> The DNSSEC KSK-rollover worked like a charm. > >> > >> So I suggest to make DANE-TLS mandatory for TLS to prevent > Man-In-The-Middle attacks with unjustly obtained intermediate certificates. > > > > If you want to see more DANE deployment, work on tooling to ease > > DNSSEC deployment, convince registries to support CDS and CDS0, > > simplify zone signing and key rollover interfaces in nameserver > > implementations, develop monitoring tools, ... Get efforts to > > improve the tools funded, ... > > > > There is much work to be done, before we can expect ubiquitous > > DNSSEC support, let alone DANE. DNSSEC deployment is concentrated > > at domains hosted by providers who have invested in automating it. > > To bring it to the masses, it must be something that works out of > > the box. > > > > Until then it should be possible to use DNSSEC and DANE with TLS, > > but we're quite far from being in a position to mandate their use. > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
