Re: [dane] Google Chromium team closes DNSSEC/DANE as a WontFix
Rene Bartsch <ietf@bartschnet.de> Fri, 03 October 2014 09:47 UTC
Return-Path: <ietf@bartschnet.de>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F2E81AD004 for <dane@ietfa.amsl.com>; Fri, 3 Oct 2014 02:47:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.948
X-Spam-Level:
X-Spam-Status: No, score=0.948 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HELO_EQ_DE=0.35, J_CHICKENPOX_64=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EL0aFshBDmA8 for <dane@ietfa.amsl.com>; Fri, 3 Oct 2014 02:47:21 -0700 (PDT)
Received: from triangulum.uberspace.de (triangulum.uberspace.de [95.143.172.227]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13B7D1AD003 for <dane@ietf.org>; Fri, 3 Oct 2014 02:47:20 -0700 (PDT)
Received: (qmail 16555 invoked from network); 3 Oct 2014 09:47:19 -0000
Received: from localhost (HELO www.bartschnet.de) (127.0.0.1) by triangulum.uberspace.de with SMTP; 3 Oct 2014 09:47:19 -0000
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Content-Transfer-Encoding: 7bit
Date: Fri, 03 Oct 2014 11:47:17 +0200
From: Rene Bartsch <ietf@bartschnet.de>
To: IETF DANE Mailinglist <dane@ietf.org>
In-Reply-To: <65B99B57-FDCB-4E0A-A65A-21F80B67C205@isoc.org>
References: <65B99B57-FDCB-4E0A-A65A-21F80B67C205@isoc.org>
Message-ID: <f7e48ee02f5da13065ec41fa6a62ab21@triangulum.uberspace.de>
X-Sender: ietf@bartschnet.de
User-Agent: Roundcube Webmail/1.0.1
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/NryU2N9wn5RVfkg0GLlNH6snxaI
Subject: Re: [dane] Google Chromium team closes DNSSEC/DANE as a WontFix
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Oct 2014 09:47:25 -0000
Am 2014-10-02 14:09, schrieb Dan York: > It seems we may not be seeing DANE / DNSSEC support in Google Chrome > anytime soon. This ticket was just closed as a WontFix: > > https://code.google.com/p/chromium/issues/detail?id=50874#c22 [1] > > As the ticket says (in part): > ----- > > Closing this out as WontFix, as there are no plans. > <snip> > DNSSEC and DANE (types 2/3) do not measurably raise the bar for > security compared to alternatives, and can be negative for security. > DNSSEC+DANE (types 0/1) can be accomplished via HTTP Public Key > Pinning to the same effect, and with a much more reliable and > consistent delivery mechanism. > > While not desiring to stifle discussion, we've continued to evaluate > the security and usability benefits and costs of DNSSEC and DANE, and > will continue to do so, but for now, this is neither something we plan > to implement nor would support landing. > ----- > > Any thoughts? > > Dan It seems Google wants to become the one and only authority by certificate pinning to control whose certificates are accepted instead of leaving the choice to the domain owner. This also obstructs the transition to free self-signed certificates for non-commercial domains. In my opinion the certificate should be linked to the domain by the domain infrastructure -> DNSSEC. Please comment https://bugzilla.mozilla.org/show_bug.cgi?id=1077323 to encourage Mozilla to implement DANE. This would also improve security when downloading Firefox updates/addons. -- Best regards, Rene Bartsch, B. Sc. Informatics
- [dane] Google Chromium team closes DNSSEC/DANE as… Dan York
- Re: [dane] Google Chromium team closes DNSSEC/DAN… Rene Bartsch
- Re: [dane] Google Chromium team closes DNSSEC/DAN… Viktor Dukhovni
- Re: [dane] Google Chromium team closes DNSSEC/DAN… Nico Williams