User: Password:
Subscribe / Log in / New account

argument for DANE

argument for DANE

Posted Mar 20, 2014 0:34 UTC (Thu) by tialaramex (subscriber, #21167)
In reply to: argument for DANE by anselm
Parent article: Debian and CAcert

Exactly. Today you have the situation where .example can be as well run as any domain anywhere, and yet a company you've never heard of (or a state acting through that company), based in a country you've no plans to ever visit, issues a CA cert that says some unrelated third party "is" your whatever.example domain, and the average person's web browser trusts them silently.

Under DANE the responsibility for securing domains in .example falls to the .example operators, the very same people _getting paid_ by whatever.example. This is a much more satisfying arrangement. Most likely .com will continue to be run very poorly but other domains can choose to do better, which today is futile at least in respect of security.

And as a bonus you get the thing CAcert wanted most of all, which is that everybody can have working PKI at potentially zero cost. That can never happen (as CAcert's experience illustrates) under the current regime.

(Log in to post comments)

Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds