Child pages
  • OCSP is dead. Long live...

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Lead by: Joost van Dijk (SURFnet)

Attendees: Joost, Brook, ....

Notes: Brook Schofield


  1. Certificate Transparency vs DANE for TCS (Brook)
  2. What to do with DANE/Certificate Transparency/Pinning (Joost)


Joost provided info on how DANE works.

DANE requires DNSSec infrastructure.


Q: Browser Support?

A1: Generally no. DANE plugin (for Firefox) from the same team that wrote the DNSSec plugin.

A2: Chrome supports Certificate Transparency.


Q: DNSSec - who own the root certificate?

A: Generated via an open and auditable process.


Q: What do “we” want to do with DANE? 

 - if we can identify the use cases?

 - eduroam? DANE - ->

 - RFC on use-cases ... 


Securing the connection and define the routing is two different tasks.

The CA provides the “security” for the connection.

This is a possible use case for email? DKIM signatures are better.


Chicken and Egg Problem

 * Client to the resolver doesn’t do DNSSEC

 * If the ISP





 * Always performed on the client

 * Certificate rollover




We need to find additional use cases ….