[jnw2]

FLAVOR: Ubuntu Desktop and Ubuntu Server

HEADLINE: DANE for TLS in Firefox, wget, curl, etc

DESCRIPTION: Support TLS server verification using TLSA DNS records protected by DNSSEC as described at http://www.internetsociety.org/articles/dane-taking-tls-auth... and https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Na... ; this should have a smaller attack surface than the current mess of X.509 certificate authorities that are trusted by web browsers. Doing this well may require better client side DNSSEC validation; my impression is that DNSSEC validation deployments in the real world today often tend to have only the recursive resolver doing DNSSEC validation, with a potentially insecure connection between the client and the recursive resolver. Firefox probably ought to check the entire DNSSEC signature chain itself.