Lead by: Joost van Dijk (SURFnet)
Attendees: Joost, Brook, ....
Notes: Brook Schofield
- Certificate Transparency vs DANE for TCS (Brook)
- What to do with DANE/Certificate Transparency/Pinning (Joost)
Joost provided info on how DANE works.
DANE requires DNSSec infrastructure.
Q: Browser Support?
A1: Generally no. DANE plugin (for Firefox) from the same team that wrote the DNSSec plugin.
A2: Chrome supports Certificate Transparency.
Q: DNSSec - who own the root certificate?
A: Generated via an open and auditable process.
Q: What do “we” want to do with DANE?
- if we can identify the use cases?
- eduroam? DANE - nl.eduroam.org -> uu.nl.eduroam.org
- RFC on use-cases ...
Securing the connection and define the routing is two different tasks.
The CA provides the “security” for the connection.
This is a possible use case for email? DKIM signatures are better.
Chicken and Egg Problem
* Client to the resolver doesn’t do DNSSEC
* If the ISP
* Always performed on the client
* Certificate rollover
We need to find additional use cases ….