[ET Trac] [Einstein Toolkit] #1629: Use DANE for server certificates
Einstein Toolkit
trac-noreply at einsteintoolkit.org
Wed Jun 4 11:04:15 CDT 2014
#1629: Use DANE for server certificates
--------------------------------------+-------------------------------------
Reporter: eschnett | Owner:
Type: enhancement | Status: new
Priority: optional | Milestone:
Component: EinsteinToolkit website | Version: development version
Resolution: | Keywords:
--------------------------------------+-------------------------------------
Comment (by knarf):
This only moves the problem: DANE needs DNS records to be signed with
DNSSEC. Instead of trusting a list of CAs, applications need to trust
whoever signed the DNS record (and support this in the first place). The
list of applications that support this seems to be pretty short right now,
according to wikipedia Chome and Firefox have a plugin, and the only other
mentioned application is Irssi - an IRC client. GnuTLS also has support,
but applications might not be linked against it (but against openssl
instead), and I would assume they still need some support for it.
In general, DANE seems like a very good idea. For now I am afraid it looks
like it would be too much trouble for a small group like us to get this
implemented - with only very limited advantages. We would still need the
usual certificates for all clients that don't support DANE.
--
Ticket URL: <https://trac.einsteintoolkit.org/ticket/1629#comment:1>
Einstein Toolkit <http://einsteintoolkit.org>
The Einstein Toolkit
More information about the Trac
mailing list