- removed comment
Use DANE for server certificates
Issue #1629
closed
If I understand correctly, DANE (http://www.heise.de/newsticker/meldung/DANE-Bund-sichert-nach-Mail-Transport-auch-Webservice-mittels-DANE-ab-2215929.html, http://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) would allow server owners to publish their certificates with their DNS entries. This could -- if I understand correctly -- replace the need for having certificates signed by a CA, which is always expensive and cumbersome.
Keyword:
Comments (3)
-
-
- changed status to resolved
- removed comment
-
- changed status to closed
- edited description
- Log in to comment
This only moves the problem: DANE needs DNS records to be signed with DNSSEC. Instead of trusting a list of CAs, applications need to trust whoever signed the DNS record (and support this in the first place). The list of applications that support this seems to be pretty short right now, according to wikipedia Chome and Firefox have a plugin, and the only other mentioned application is Irssi - an IRC client. GnuTLS also has support, but applications might not be linked against it (but against openssl instead), and I would assume they still need some support for it.
In general, DANE seems like a very good idea. For now I am afraid it looks like it would be too much trouble for a small group like us to get this implemented - with only very limited advantages. We would still need the usual certificates for all clients that don't support DANE.