bugs.gnupg.org TLS certificate

Antony Prince antony at blazrsoft.com
Sat Mar 14 02:28:47 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 3/13/2015 6:31 PM, Damien Goutte-Gattat wrote:
> The fact that they are called “proposed standards” does not really mean
> anything. Many widely deployed and successful IETF protocols are still
> officially considered “proposed standard” and not “Internet standard”,
> that does not make them less official.

I know what you mean. They were proposed years ago and still maintain
the "proposed" status.

> I don’t have any more insight, but I’d say that the main downside of
> both DNSSEC and DANE is that almost no TLS client implements them…
> 
> As far as I know, most if not all of the DNS resolvers immediately
> available on a client system don’t perform DNSSEC validation.

I use BIND(named) as my DNS server and it is DNSSEC capable as well as
DLV-Lookaside capable. Google's public DNS server are also capable of
both as well since I used them a lot for DNS record timeout testing
among other things.

> Even if we assume that the system DNS resolver is DNSSEC-capable, I
> don’t know of any browser (or any other kind of TLS client software)
> that care about DNSSEC and/or TLSA records. For Firefox, you have to
> install a third-party extension [1], and for Chrome, support of DANE is
> not on Google’s agenda [2] (they prefer to rely on Certificate
> Transparency [3] instead, which in my opinion does not solve any of the
> main problems of the PKIX system, but this is another subject).

I have the Firefox extension myself and refuse to use Chrome since, IMO,
its nothing more than a bloated version of the Gecko engine which does a
lot of useless crap I'm not interested in. Your mileage may vary. LOL.
But that is another problem with its adoption as a standard is that most
(if not all) mainstream browsers don't support it natively.

> I am, too, very interested in DANE, and in fact I have great hopes in it
> (all my TLS servers have TLSA records, and my browser can check them).
> But we are very far from the point where nobody would need to rely on
> “trusted” external CAs.

This I think is the main problem. It's adoption has not become
mainstream. I'm of the conspiracy theory opinion that its the CA's who
are making sure it stays in the background because otherwise they could
potentially lose their entire market if everyone realized they didn't
need a CA to properly and securely validate their certificates. (Pure
personal opinion here, no facts to back it up). My domain is secured via
DNSSEC and all my certificates have TLSA records to back them up. I'm no
professional at server administration, so if I can do it, anyone can.
Its disheartening to see something so promising pushed to the side for
so long when it could be a major benefit as far as internet security is
concerned. Thanks for your reply BTW. :)

- -- 

Antony Prince

Key ID: 0x4F040744
Fingerprint: FE96 5B7F A708 18D3 B74B  959F A6E1 6242 4F04 0744
URL:
https://hkps.pool.sks-keyservers.net/pks/lookup?op=get&search=0xA6E162424F040744
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJVA47MAAoJEKbhYkJPBAdEpi0IALJwjhR0uILmFH2cFLADVEvv
jc5/+kwchlkWbIOifLvuqgb7t8DEgVib5rlLBHu72iCIPcLw/1ACJs1xhxhqCSUA
xsu7GXXKhA0F6hiev80LhUzVEI/O4Rd71akH6j8sTnUmuFBb1vXqINCn7q1O/O6i
Bo2kNZyiR0hMk29S88hb78utmnOLs5eaFyX0hVCpZNc8oOv2EquHE4i3/a2d52/K
Ij5BYCV5ZlK/epTHuzYAlKSUWaB1f8VcY1MjgHGsZ298lnR1d54UtPiyEtYuPRLR
TrBx+GNhbziFGHFDOo8i4uAwio4ydG1VfdgbZazbxt2pf+Bgj3rvpzPE8iKtozk=
=YDqt
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list