Re: [dane] List of incidents that DANE would have blocked?

Viktor Dukhovni <> Thu, 02 October 2014 16:15 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 9F9551A877D for <>; Thu, 2 Oct 2014 09:15:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 0ZjHOTtr4_yG for <>; Thu, 2 Oct 2014 09:15:50 -0700 (PDT)
Received: from ( []) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 63BA31A1A92 for <>; Thu, 2 Oct 2014 09:15:48 -0700 (PDT)
Received: by (Postfix, from userid 1034) id 717972AB2A7; Thu, 2 Oct 2014 16:15:41 +0000 (UTC)
Date: Thu, 02 Oct 2014 16:15:41 +0000
From: Viktor Dukhovni <>
Message-ID: <>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Subject: Re: [dane] List of incidents that DANE would have blocked?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 02 Oct 2014 16:15:55 -0000

On Wed, Oct 01, 2014 at 09:37:08AM -0700, William Stouder-Studenmund wrote:

> Making a case for DANE means making a case for DNSSEC.


> I get that DANE can detect a large class of MITM attacks.

No, DANE can public associations between service end-points and
public key material.  Protecting against MITM attacks is a matter
for the protocols that use that key material.  DNSSEC hardens the
lookups of that key material against MITM attacks.

> Saying that
> isn't as convincing as handing over a list of, "DANE is designed to stop
> this, DANE would have stopped that one," and so on.

DANE can enable opportunistic security protocol designs that are
capable of resisting MITM attacks.  This is in use with SMTP and

DANE for the web is some time away.  None of the browsers are
planning DANE support at this time.  My hope is that at some point
in the future the new "h2" URI scheme will support opportunistic
DANE TLS, rather than just opportunistic unauthenticated encryption.

DANE replacing public CAs with "https" seems unlikely so long as
there is perceived value in "EV" certificates.