Why not DANE in browsers (17 Jan 2015)
lundi 19 janvier 2015 à 08:18CAFAI Liens en Vrac 19/01/2015
Réponse à "arguments against DNSSEC" (https://shaarli.cafai.fr/?fkzN7w || http://sockpuppet.org/blog/2015/01/15/against-dnssec/) et Questions and Answers from "Against DNSSEC" (http://sockpuppet.org/stuff/dnssec-qa.html).
There are two ways that you might wish to use DANE in a web browser: either to block a certificate that would normally be considered valid, or to bless a certificate that would normally be rejected. The first, obviously, requires that DANE information always be obtained—if a lookup failure was ignored, a network attacker with a bad certificate would just simulate a lookup failure. But requiring that browsers always obtain DANE information (or a proof of absence) is nearly implausible
(Permalink)
Réponse à "arguments against DNSSEC" (https://shaarli.cafai.fr/?fkzN7w || http://sockpuppet.org/blog/2015/01/15/against-dnssec/) et Questions and Answers from "Against DNSSEC" (http://sockpuppet.org/stuff/dnssec-qa.html).
There are two ways that you might wish to use DANE in a web browser: either to block a certificate that would normally be considered valid, or to bless a certificate that would normally be rejected. The first, obviously, requires that DANE information always be obtained—if a lookup failure was ignored, a network attacker with a bad certificate would just simulate a lookup failure. But requiring that browsers always obtain DANE information (or a proof of absence) is nearly implausible
(Permalink)