2

We've been considering to make more use of DANE as a decentralised authority for our certificates.

Especially with S/MIME.

However, the key obstacle is... how widely are DANE treated as an authority with mail clients?

Is there a list with all the clients (mail, web, ftp, ssh and etc...) that support DANE?

Thanks,

  • As far as I understand: DANE verification does not happen on client side but rather as a part of DKIM verification on server side. One thing is you have published a public key for DKIM signatures on your server, but you need DANE in conjunction with DNSSEC to verify that the given key is actually an authorised key for a given domain. To that end DANE is transparent for the end user. I haven't heard about DANE being used for https and ftps at all. The closest thing is probably the use of `CAA` records. – Lasse Michael Mølgaard Jul 22 '21 at 13:47
  • By DANE, I mean this: DANE (DNS-based Authentication of Named Entities). DKIM is better implemented with DNSSEC, but there isn't a requirement for that. I think you're confusing DANE with similar use cases. You could read more here: https://blog.verisign.com/security/how-dane-strengthens-security-for-tls-smime-and-other-applications/ – Haneef Ibn Ahmad Jul 22 '21 at 16:10

0 Answers0