bugs.gnupg.org TLS certificate

Damien Goutte-Gattat dgouttegattat at incenp.org
Fri Mar 13 23:31:08 CET 2015


On 03/13/2015 08:23 PM, Antony Prince wrote:
> I am very interested in seeing these proposals become official standards.

The fact that they are called “proposed standards” does not really mean 
anything. Many widely deployed and successful IETF protocols are still 
officially considered “proposed standard” and not “Internet standard”, 
that does not make them less official.

DNSSEC and DANE are as much “official standards” as, for example, 
OpenPGP (RFC 4880) and the X.509 PKI system (RFC 5280).


> I'm also interested on anyone else's thoughts who might have more
> insight into the downsides or repercussions of relying strictly on such
> a system (if external CA's no longer existed, for example).

I don’t have any more insight, but I’d say that the main downside of 
both DNSSEC and DANE is that almost no TLS client implements them…

As far as I know, most if not all of the DNS resolvers immediately 
available on a client system don’t perform DNSSEC validation.

Even if we assume that the system DNS resolver is DNSSEC-capable, I 
don’t know of any browser (or any other kind of TLS client software) 
that care about DNSSEC and/or TLSA records. For Firefox, you have to 
install a third-party extension [1], and for Chrome, support of DANE is 
not on Google’s agenda [2] (they prefer to rely on Certificate 
Transparency [3] instead, which in my opinion does not solve any of the 
main problems of the PKIX system, but this is another subject).

I am, too, very interested in DANE, and in fact I have great hopes in it 
(all my TLS servers have TLSA records, and my browser can check them). 
But we are very far from the point where nobody would need to rely on 
“trusted” external CAs.


[1] https://www.dnssec-validator.cz/

[2] https://www.imperialviolet.org/2015/01/17/notdane.html

[3] http://www.certificate-transparency.org/what-is-ct

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150313/8ba85f71/attachment.sig>


More information about the Gnupg-users mailing list