Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support cert pinning via DANE #6104

Closed
kmcallister opened this issue May 17, 2015 · 4 comments
Closed

Support cert pinning via DANE #6104

kmcallister opened this issue May 17, 2015 · 4 comments
Assignees
@avadacatavra
Labels
A-network A-security B-interesting-project Represents work that is expected to be interesting in some fashion E-very-complex Very difficult. Do not attempt without significant relevant experience and motivation. I-safety Some piece of code violates memory safety guarantees.

Comments

@kmcallister
Copy link
Contributor

DNS-based Authentication of Named Entities.

This may require having our own DNSSEC resolver.
@kmcallister kmcallister added E-very-complex Very difficult. Do not attempt without significant relevant experience and motivation. B-interesting-project Represents work that is expected to be interesting in some fashion I-safety Some piece of code violates memory safety guarantees. A-network labels May 17, 2015
@hsivonen
Copy link
Contributor

Considering that more established browsers are rejecting this feature due to the latency of querying DNS and due to DNSSEC using the sort of legacy crypto that's being unsupported for normal CAs, it's probably not a good idea to spend time on this in Servo.

@nox
Copy link
Contributor

nox commented Apr 8, 2017

Assigning to @avadacatavra to decide whether we should pursue this.

@hsivonen
Copy link
Contributor

hsivonen commented Apr 9, 2017

I see that my comment from 2015 has gotten two thumbs down. It helps to consider DNSSEC as a CA system replacement with legacy crypto practices and with structurally unimpeachable root and intermediates.

Legacy crypto practices: Remember that DNSSEC had a 1024-bit RSA root at a time when Mozilla had decided to distrust 1024-bit RSA Web PKI roots.

From time to time, there's "whoa! how can it be this bad?" news about a particular CA or its delegates. Taking action against BR violations in Web PKI is hard but possible. In DNSSEC, if your TLD misbehaves in terms of what it signs, there's no remedy without everyone under that TLD changing to a different TLD, which is prohibitively disruptive. Authorities in DNSSEC are even less impeachable in case of bad behavior than in Web PKI.

Furthermore, I haven't seen any update refuting Chrome's finding that a substantial portion of browser users are behind middleboxes that drop DNSSEC-sized DNS responses.

@avadacatavra
Copy link
Contributor

There's no cross-browser consensus on the tradeoffs with DANE, and I don't think this is a current priority for Servo.

We can reopen/revisit this in the future if things change in the browser ecosystem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@avadacatavra avadacatavra

Labels
A-network A-security B-interesting-project Represents work that is expected to be interesting in some fashion E-very-complex Very difficult. Do not attempt without significant relevant experience and motivation. I-safety Some piece of code violates memory safety guarantees.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@nox @frewsxcv @kmcallister @hsivonen @avadacatavra