[Ach] DNSSEC [was: Re: filippo on SSL SMTP encryption]

Aaron Zauner azet at azet.org
Tue Mar 31 22:00:59 CEST 2015

Hi again,

Daniel Kahn Gillmor wrote:
> We need *more* functional authentication systems, and we need to be able
> to use them in corroborative ways.  DNSSEC strikes me as a mechanism
> that can be used alongside CAs or WoT or TOFU as an additional verifier.

I agree in general. But that's the point here: they need to be
functional. There're tons of problems with DNSSEC right now. Until that
changes somehow I'm not betting on DNSSEC nor DANE to provide any
functional authentication or trust. I don't like soft-fails :)

You can maybe tell that I'm a bit desensitized to DNSSEC by my original
post. I've had "the DNSSEC discussion" about 25 times over the last six

I think before we invest time and energy on a section about DNSSEC/DANE
we should look into properly documenting Key Pinning and operational
procedures that come with it (i.e. not locking users out of your
service). In general I don't have an issue with a chapter on
DNSSEC/DANE: but it should clearly state all the problems that come with it.

I'm really missing discussion on TACK in IETF. Would be especially
useful to STARTTLS protocols.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150331/6c1c7791/attachment.sig>

More information about the Ach mailing list