Use DANE for server certificates

Create issue
Issue #1629 closed
Erik Schnetter created an issue

If I understand correctly, DANE (http://www.heise.de/newsticker/meldung/DANE-Bund-sichert-nach-Mail-Transport-auch-Webservice-mittels-DANE-ab-2215929.html, http://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) would allow server owners to publish their certificates with their DNS entries. This could -- if I understand correctly -- replace the need for having certificates signed by a CA, which is always expensive and cumbersome.

Keyword:

Comments (3)

  1. Frank Löffler
    • removed comment

    This only moves the problem: DANE needs DNS records to be signed with DNSSEC. Instead of trusting a list of CAs, applications need to trust whoever signed the DNS record (and support this in the first place). The list of applications that support this seems to be pretty short right now, according to wikipedia Chome and Firefox have a plugin, and the only other mentioned application is Irssi - an IRC client. GnuTLS also has support, but applications might not be linked against it (but against openssl instead), and I would assume they still need some support for it.

    In general, DANE seems like a very good idea. For now I am afraid it looks like it would be too much trouble for a small group like us to get this implemented - with only very limited advantages. We would still need the usual certificates for all clients that don't support DANE.

  2. Log in to comment