How does the DNS-based Authentication of Named Entities (DANE) protocol make Certificate Authorities (CA) obsolete?
In other words: How is it technically possible that DANE does not need Certificate Authorities?
Asked
Active
Viewed 405 times
1
-
I think this question is covered by the broader question [What alternatives are there to the existing Certificate Authority system for SSL?](http://security.stackexchange.com/questions/23648/what-alternatives-are-there-to-the-existing-certificate-authority-system-for-ssl) which also covers DANE. – Steffen Ullrich Feb 22 '17 at 06:08
-
1@SteffenUllrich I disagree. My question isn't if DANE replaces CAs completely. My question is how it's technically possible that DANE does not need CAs. I would like to see an explanation or comparison about a situation with and without DANE and how they vary, specifically regarding the use of CAs. That's a totally different question than the one you suggested. – Bob Ortiz Feb 22 '17 at 09:01
1 Answers
3
DANE makes it possible for every owner of a domain to publish its certificate inside the DNS, i.e. fully managed by the owner of the domain which is the owner of the certificate. But, DANE needs DNSSec because otherwise such records could be spoofed which would a major problem with certificates. Thus while DANE does not rely on a certificate hierarchy to build a chain to a trusted root CA it still relies on a similar concept: a key hierarchy with trusted root keys.
The main difference to CA issued certificates is that the domain owner can fully create all certificates belonging to its domain itself and insert it into this hierarchy of trusted keys. Similar revocation is easier since the key has simply to be removed from the DNS. This of course requires that the domain owner is able to manage its own DNS records and that these are protected with DNSSec.
Steffen Ullrich
- 184,332
- 29
- 363
- 424