[dane] Two additions to draft-york-dane-deployment-observations-00

Stephane Bortzmeyer <bortzmeyer@nic.fr> Sat, 08 November 2014 00:08 UTC

Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id C64231A0032 for <dane@ietfa.amsl.com>; Fri, 7 Nov 2014 16:08:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 41GZ00lQ846z for <dane@ietfa.amsl.com>; Fri, 7 Nov 2014 16:08:00 -0800 (PST)
Received: from mail.bortzmeyer.org (aetius.bortzmeyer.org [IPv6:2001:4b98:dc0:41:216:3eff:fece:1902]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52B6A1A0049 for <dane@ietf.org>; Fri, 7 Nov 2014 16:08:00 -0800 (PST)
Received: by mail.bortzmeyer.org (Postfix, from userid 10) id 4A2BF3BA49; Sat, 8 Nov 2014 01:07:58 +0100 (CET)
Received: by tyrion (Postfix, from userid 1000) id 9B02FF01300; Sat, 8 Nov 2014 00:29:15 +0100 (CET)
Date: Fri, 07 Nov 2014 15:29:15 -0800
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: dane@ietf.org
Message-ID: <20141107232915.GA31913@laperouse.bortzmeyer.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
X-Transport: UUCP rules
X-Operating-System: Ubuntu 14.04 (trusty)
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/Gjy_JCWszwjODK0gYO9-T9gw5Cs
Subject: [dane] Two additions to draft-york-dane-deployment-observations-00
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Nov 2014 00:08:05 -0000

I've just read draft-york-dane-deployment-observations-00 and I would
like to add two things to the list in section 2, "Observations", list
of reasons why people don't deploy DANE. These additions come from my
experience trying to promote the use of DANE.

The first one is that some people distrust the domain name industry
and feel that it is not safe to exchange the CA for the domain name
actors (some of them having bad reputations like G... D...). Now, we
all know it is more complicated than that (usages PKIX-* do not
required that you drop the CA system, but on the other hand, some
people fear that, if DANE is in the browser, the registrar, registry
or the DNS hoster may be able to divert your users to a false site,
something they could not do before). I don't say that I follow this
reasoning but I've heard it several times so it could be documented.

The second one is the lack of monitoring solutions. DANE brings some
new risks of discrepancies (people renewing the certificate and
forgetting to update the TLSA record for the *-EE usages...) since the
people who manage the certs may not be the same who manage the DNS. We
really need Nagios plugins to monitor DANE sites. Unlike the first
reason given above, I strongly buy this one.