Hacker News new | ask | show | jobs
by magila 2674 days ago
As long as DV certs exist the registrars are trusted anyways[0]. DNSSEC + DANE, for all its faults, would at least reduce the set of trusted actors by cutting CAs out of the chain.

[0] Yes there's CT to help catch dishonest registrars, but a similar regime could be applied to registrars directly to force transparency around changes to TLSA records.
1 comments
tptacek 2674 days ago
Adam Langley explains in "Why Not DANE In Browsers" that this is not in fact the case, and that DANE will ultimately just expand the number of trust anchors; you can't even get things narrowed down to just the governments controlling your records.

Further: a mis-issuing CA can be put to death (as happened to the largest CA when Google caught them mis-issuing). You can't revoke a TLD.

Meanwhile, CT actually exists today and is meaningfully combating misissuance, and obviously does not rely on DNSSEC to function.

link
Ajedi32 2674 days ago
> Adam Langley explains in "Why Not DANE In Browsers" that this is not in fact the case, and that DANE will ultimately just expand the number of trust anchors

This is false. That article makes no such claims.

link
tptacek 2673 days ago
There are two ways that you might wish to use DANE in a web browser: either to block a certificate that would normally be considered valid, or to bless a certificate that would normally be rejected. The first, obviously, requires that DANE information always be obtained—if a lookup failure was ignored, a network attacker with a bad certificate would just simulate a lookup failure. But requiring that browsers always obtain DANE information (or a proof of absence) is nearly implausible
link
Ajedi32 2673 days ago
That paragraph does not claim DANE expands the number of trust anchors.

As magila stated, registrars are already a trust anchor for domain validated certificates. Trusting a certificate directly via DANE vs through a domain-validated certificate doesn't change that. It does, however, cut CAs out of the process, which reduces the number of trust anchors.

link
tptacek 2673 days ago
If you can't use DANE to block certificates that the WebPKI says are valid, then you're stuck trusting both DANE and the CAs. Browsers don't trust DANE today. Ergo, adoption of DANE would expand the number of trust anchors.
link
Ajedi32 2673 days ago
Assuming we need to keep backwards compatibility indefinitely that's true, but that still wouldn't expand the number of trust anchors. DANE isn't a new trust anchor, it's just a more direct way of trusting preexisting trust anchors (DNS registrars). Even if you don't use or support DANE you still need to trust the registrars.
link
magila 2674 days ago
I was speaking more in a hypothetical sense, but you're right. The DNS as currently implemented is sufficiently broken so as to preclude securing it.
link