> On May 15, 2016, at 4:44 PM, Vladimir Dubrovin <[email protected]> wrote: > > I may be wrong (please correct me),
Not so much wrong as "not even wrong". The DANE TTL is largely irrelevant and should be reasonably short to allow mistakes to be fixed quickly. > but as far as I can see, DANE does > not provide any additional caching mechanism and relies on DNS caching > only. This is a feature, changes to the record propagate as the TTL expires. > DANE does not explains > what to do if TLSA records lookup fails due to MitM. *This* is where you're wrong, see https://tools.ietf.org/html/rfc7672#section-2.1 The error behaviour for SMTP with DANE *is* specified, and avoids downgrade attacks. > For me, DANE is a way to avoid authentication with public CA > infrastructure Many DANE domains have certificates from public CAs, though DANE clients don't use the local trust-store when checking these... > (it sounds funny, but currently public CA infrastructure is not protected > against > even passive MitM, because domain validation process is vulnerable to > MitM) Indeed, DV is weaker than DNSSEC, where at least control of the domain is established via the registrar account that controls the domain. > but DANE does not replace STS in any way, because long time policy > caching is a main feature of STS. This conclusion is based on an incomplete/incorrect knowledge of DANE SMTP. -- Viktor. _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
