5

As I understand it, DANE (RFC 6698) is a promising candidate for addressing issues with current TLS Trust Anchors (i.e. Trust Anchors).

My attempt at explaining the issue:

Currently, CAs are universal trust anchors and, as a result, are permitted to issue certificates for any site, regardless of TLD or prior existence of a valid cert. DANE would move these trust anchors to the DNS infrastructure where there would be a strict public key hierarchy (e.g. "*" —> "*.com" —> "*.example.com" etc.).

Tying trust to the DNS entry requires that these be secure (from, say, cache poisoning). The proposed standard attempting to solve this is DNSSEC ([RFC 5155][2]). It also surprises me that the move towards DNSSEC has not been more rapid given that the current issues with DNS appear to be numerous, well-documented, and potentially quite serious.

The conspiracy theorist in me wants to blame the CA business, which has a vested interest in DANE’s failure, but I’m sure there are more rational explanations.

Basically: What, if anything, is hindering progress/adoption of these RFCs?

Community
  • 1
msuozzo
  • 268
  • 2
  • 7
  • Questions like this are not a good fit here. You really want to contact someone involved with DANE and ask them. – Rory Alsop Jul 22 '14 at 21:09
  • @RoryAlsop Thank you for pointing this out. I now realize that this post may fall out of the scope of this forum. The only reason I asked this was that I've seen this topic mentioned many times on IS and wanted those users' input. – msuozzo Jul 22 '14 at 21:55
  • You should phrase the question like http://security.stackexchange.com/q/45770/2379 . – Pacerier Feb 16 '15 at 20:14

0 Answers0