[keyassure] Bootstrapping Dane Adoption

Henry Story <henry.story@bblfish.net> Wed, 16 February 2011 09:17 UTC

Return-Path: <henry.story@bblfish.net>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 0E7043A6D63 for <keyassure@core3.amsl.com>; Wed, 16 Feb 2011 01:17:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.38
X-Spam-Status: No, score=-3.38 tagged_above=-999 required=5 tests=[AWL=-0.096, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, SARE_MILLIONSOF=0.315]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id 0a0-WtOdhmxw for <keyassure@core3.amsl.com>; Wed, 16 Feb 2011 01:17:02 -0800 (PST)
Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com []) by core3.amsl.com (Postfix) with ESMTP id BEB533A6DDA for <keyassure@ietf.org>; Wed, 16 Feb 2011 01:17:01 -0800 (PST)
Received: by bwz12 with SMTP id 12so1433785bwz.31 for <keyassure@ietf.org>; Wed, 16 Feb 2011 01:17:28 -0800 (PST)
Received: by with SMTP id j19mr264742bka.105.1297847848413; Wed, 16 Feb 2011 01:17:28 -0800 (PST)
Received: from bblfish.home (ALagny-751-1-9-11.w83-112.abo.wanadoo.fr []) by mx.google.com with ESMTPS id u23sm3275558bkw.21.2011. (version=TLSv1/SSLv3 cipher=OTHER); Wed, 16 Feb 2011 01:17:26 -0800 (PST)
From: Henry Story <henry.story@bblfish.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 16 Feb 2011 10:17:23 +0100
Message-Id: <43743AB7-2208-46AB-9F59-B8862BC39034@bblfish.net>
To: John Gilmore <gnu@card.toad.com>
Mime-Version: 1.0 (Apple Message framework v1082)
X-Mailer: Apple Mail (2.1082)
Cc: keyassure@ietf.org
Subject: [keyassure] Bootstrapping Dane Adoption
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Feb 2011 09:17:03 -0000

(just pursuing the conversation on a thread that with a name that is more 
 related to the topic, since this has no more that much to do with publishing
 bare public keys )

On 15 Feb 2011, at 22:58, John Gilmore wrote in the thread archived at

>>   I can't remember if in their presentation they tell us how many valid self
>> signed certs they found out there...
> According to Chris Palmer of EFF, the SSL Observatory found 7 million
> self-signed certs (and 4.3 million with other certs).  But none of the
> self-signed certs were considered "valid self-signed certs" because
> the definition of "valid" was "with a valid signature chain, according
> to at least one browser", and of course browsers consider self-signed
> certs invalid.
> It appears that securing your web site with crypto is about three
> times as popular as obtaining a certificate from a certifying
> authority.
> So, providing a simple way in DNS for those 7 million web
> administrators to securely anchor their website's public keys to their
> domain names, without dealing with a certificate authority, would
> provide significant benefits to literally millions of people.


It occurred to me that DNSsec providers could easily bootstrap the
adoption of Dane by pinging port 443 of their clients hosts, getting the 
X509 Cert if it is there, verify it is correct, and if it is self signed
add the cert or public key to the DNSsec entry.

With even a few million such entries it would then be very easy to 
convince browser manufacturers of the use of adding support for DANE.


> 	John Gilmore