bugs.gnupg.org TLS certificate
dgouttegattat at incenp.org
Fri Mar 13 23:31:08 CET 2015
On 03/13/2015 08:23 PM, Antony Prince wrote:
> I am very interested in seeing these proposals become official standards.
The fact that they are called “proposed standards” does not really mean
anything. Many widely deployed and successful IETF protocols are still
officially considered “proposed standard” and not “Internet standard”,
that does not make them less official.
DNSSEC and DANE are as much “official standards” as, for example,
OpenPGP (RFC 4880) and the X.509 PKI system (RFC 5280).
> I'm also interested on anyone else's thoughts who might have more
> insight into the downsides or repercussions of relying strictly on such
> a system (if external CA's no longer existed, for example).
I don’t have any more insight, but I’d say that the main downside of
both DNSSEC and DANE is that almost no TLS client implements them…
As far as I know, most if not all of the DNS resolvers immediately
available on a client system don’t perform DNSSEC validation.
Even if we assume that the system DNS resolver is DNSSEC-capable, I
don’t know of any browser (or any other kind of TLS client software)
that care about DNSSEC and/or TLSA records. For Firefox, you have to
install a third-party extension , and for Chrome, support of DANE is
not on Google’s agenda  (they prefer to rely on Certificate
Transparency  instead, which in my opinion does not solve any of the
main problems of the PKIX system, but this is another subject).
I am, too, very interested in DANE, and in fact I have great hopes in it
(all my TLS servers have TLSA records, and my browser can check them).
But we are very far from the point where nobody would need to rely on
“trusted” external CAs.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 455 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users