Re: [therightkey] [dane] DANE and CT

[Warren Kumari <warren@kumari.net>]

On Nov 14, 2012, at 11:02 AM, Tony Finch <dot@dotat.at> wrote:

> Ben Laurie <benl@google.com> wrote:
> 
>> At the CT BoF the question was raised: what about DANE?
>> 
>> Which is a good question. So, I think Google is prepared to
>> contemplate running a CT log for DANE, but this leaves some
>> questions...
> 
> What problem would CT for DANE be aiming to fix?
> 

If I run example.com and someone managed to generate / publish a TLSA record for that I'd sure like to know about it. 
Yes, I should be able to simply check myself (and presumably a malicious actor wouldn't submit it to the log :-)), but it seem like it couldn't hurt[0]

Also, as a relying party, if I'm checking / relying on CT this gives me additional information - if the cert / TLSSA record do not match the published stuff in the log I may have evidence that shenanigans are afoot.

Yes, there is a fair bit of detail still to be worked out (what do you *do* if they don't match? what if a DANE user simply doesn't want to publish and the world moves to enforced CT?), the "it seems like it can't hurt" feels scary, and so needs more thought, but to me CT and DANE seem complementary, not competing technologies…


W
[0]: Famous last words!

> Tony.
> -- 
> f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
> Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
> Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
> occasionally poor at first.
> _______________________________________________
> dane mailing list
> dane@ietf.org
> https://www.ietf.org/mailman/listinfo/dane
> 

--
Do not meddle in the affairs of dragons, for you are crunchy and taste good with ketchup.