einsteintoolkit / tickets / issues / #1629 - Use DANE for server certificates — Bitbucket

Issue #1629 closed

Erik Schnetter created an issue 2014-06-04

If I understand correctly, DANE (http://www.heise.de/newsticker/meldung/DANE-Bund-sichert-nach-Mail-Transport-auch-Webservice-mittels-DANE-ab-2215929.html, http://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) would allow server owners to publish their certificates with their DNS entries. This could -- if I understand correctly -- replace the need for having certificates signed by a CA, which is always expensive and cumbersome.

Keyword:

Comments (3)

Frank Löffler
- removed comment
This only moves the problem: DANE needs DNS records to be signed with DNSSEC. Instead of trusting a list of CAs, applications need to trust whoever signed the DNS record (and support this in the first place). The list of applications that support this seems to be pretty short right now, according to wikipedia Chome and Firefox have a plugin, and the only other mentioned application is Irssi - an IRC client. GnuTLS also has support, but applications might not be linked against it (but against openssl instead), and I would assume they still need some support for it.

In general, DANE seems like a very good idea. For now I am afraid it looks like it would be too much trouble for a small group like us to get this implemented - with only very limited advantages. We would still need the usual certificates for all clients that don't support DANE.
- 2014-06-04T11:04:15+00:00
Frank Löffler
- changed status to resolved
- removed comment
- 2014-06-16T10:41:18+00:00
Roland Haas
- changed status to closed
- edited description
- 2019-02-21T20:05:49+00:00
Log in to comment

Assignee: –

Type: enhancement

Priority: minor

Status: closed

Component: EinsteinToolkit website

Milestone: –

Version: development version

Votes: 0

Watchers: 0

Jira Software: the preferred issue tracker for Bitbucket. Join the team!