TF-OpenSpace – Session 1, room yellow.   12 February 2014. 

Lead by: Joost van Dijk (SURFnet)

Attendees: Joost, Brook, ....

Notes: Brook Schofield


  1. Certificate Transparency vs DANE for TCS (Brook)
  2. What to do with DANE/Certificate Transparency/Pinning (Joost)


Joost provided info on how DANE works.

DANE requires DNSSec infrastructure.


Q: Browser Support?

A1: Generally no. DANE plugin (for Firefox) from the same team that wrote the DNSSec plugin.

A2: Chrome supports Certificate Transparency.


Q: DNSSec - who own the root certificate?

A: Generated via an open and auditable process.


Q: What do “we” want to do with DANE? 

 - if we can identify the use cases?

 - eduroam? DANE - ->

 - RFC on use-cases ... 


Securing the connection and define the routing is two different tasks.

The CA provides the “security” for the connection.

This is a possible use case for email? DKIM signatures are better.


Chicken and Egg Problem

 * Client to the resolver doesn’t do DNSSEC

 * If the ISP





 * Always performed on the client

 * Certificate rollover




We need to find additional use cases ….





[ACTION] Ensure that any technical issues that should be reflected in the TCS tender are conveyed to Nicole ASAP.