[Ach] opinions on letsencrypt.org?

Hanno Böck hanno at hboeck.de
Tue Nov 25 19:24:58 CET 2014


On Tue, 25 Nov 2014 16:20:13 +0100
Aaron Zauner <azet at azet.org> wrote:

> As with TACK I hear that some vital Google engineers don't like the
> DANE trust/security model. I'm curious if it'll see real adoption.
> Their reasoning so far has been that there are more "entry points"
> for an attacker than with a central (and CT audited) trust system as
> with certificate authorities. But I'm not them, just relaying what
> I've heard and read from them on mailinglists and twitter here.

I'm not a vital Google engineer, but I also have some problems with
DANE.

The biggest one: It's based on DNSSEC and DNSSEC is mostly vapoware. I
keep hearing people that "DNSSEC is coming", but it isn't.
Hardly any domain has dnssec. But the much bigger part that's virtually
nonexistent is dnssec client support. And I don't even see how dnssec
client suport is even supposed to work. At the moment clients don't do
DNS. They query a dns server provided by someone else (their DLS router
or their provider).

What's the idea here? Should everyone install a dns resolver locally?
(I feel this would open up a whole bunch of potential other issues if
it isn't done right - e.g. if the resolver is open to anyone) Should
browsers do their own dns resolving? Should we trust our providers to
get dnssec right?
I feel the browser solution is the most likely. It's just that nobody
is implementing that, at least not that I've heared of. I fear people
will deploy dnssec in a "trust your provider"-way, which would be a
disaster.

The other problem I have with DNSSEC is that we move from
ca-cartel-mess to domain-nic-cartel.


I see some use in DANE for SMTP server-to-server. However EFF has a
proposal herefore without dnssec (probably because they also know
dnssec is vapoware), though I haven't looked at it yet. Anyone knows
that?

cu,
-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno at hboeck.de
GPG: BBB51E42
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20141125/3f7e6a1a/attachment.sig>


More information about the Ach mailing list