But how would you have it do it? Ideally it'd support DANE. Webpki isn't really suitable for this.
Conversation
Replying to
What? Every public IMAP endpoint I ever used had WebPKI certificates. Half their docs are about using Gmail.
And self-hosted setups should use free WebPKI certificates or their own roots, and likewise should require secure configuration by default, not be hung to dry.
1
1
Replying to
Oh, apparently IMAP has a separate IMAPS port so that kinda works. I forgot that. Still DV is meh for non-https usages.
1
STARTTLS services can still be used while enforcing TLS with valid Web PKI certificates. DANE is nice but relying on DNS with DNSSEC has other threats (registrars, etc.) and doesn't give cert transparency. DV certainly sucks but CT is very valuable and Web PKI is being improved.
2
The right way to use DANE is pinning keys. I don't think it makes much sense to use it to pin certificates. As a key pinning mechanism it's perfectly suited to be an additional security check and can live happily alongside Web PKI. CT is a nice check on registrars, not just CAs.
1
If you're thinking about DANE for HTTPS, yes PKIX-EE(1) is reasonably fit for purpose, if/when (some day) the browsers actually implement DANE.
For SMTP, web PKI is not a good fit. See section 1.3 of RFC7672. MTA-STS is a kludge.
WebPKI btw., is just as vulnerable to registrars
1
1
> For SMTP, web PKI is not a good fit. See section 1.3 of RFC7672. MTA-STS is a kludge.
It works fine. MTA-STS is certainly a kludge since it should just be the only option. People who want to run their own mail server and still receive mail can set up a valid certificate.
1
> WebPKI btw., is just as vulnerable to registrars
CT with enforcement of SCTs at least provides an audit trail to detect a compromise or malicious behavior. There isn't a choice between using Web PKI or DANE since they work fine together. Don't see why someone wouldn't do both.
1
CT works much better in theory than in practice. Only the big players have the resources to audit the logs and determine whether any unauthorised certificates have been issued. It is a pretty high cost to avoid forgery of certificates for Google, and at best works after the fact.
1
It hardly takes a lot of resources, especially for a clean / simple setup. I would expect that the complexity of the setup reflects the resources of the organization and if there's an over-engineered sprawling mess that's a whole separate problem. How are they going to use DANE?
1
If someone can set up DANE, they're in a position to audit CT logs for certificates issued with the wrong key. As I mentioned earlier, I don't see why these things are presented as alternatives when they work fine alongside each other. Doing both is the most practical / secure.
Gmail and other major providers don't enforce DANE but some do enforce MTA-STS so there is not really much choice: if you care about securing it, you need both today, and there is still value in Web PKI such as CT / SCTs to verify in a world where nearly everyone enforced DANE.
DANE is utterly trivial to setup. If anything it's harder for big orgs that have large legacy DNS setups not amenable to DNSSEC (ie Google).
1
I don't disagree with you about DANE being a better approach and easy to setup. I just think that Web PKI has both practical value (dealing with anyone not using DANE) and actual value via CT which can also be considered to place a check on registrars too, not just CAs.
3
Show replies
Someone who wants that can use PKIX-EE TLSA records. I absolutely don't. The webpki architecture is wrong for this and DANE-EE (usage 3) conveys explicit intent (& requirement by spec) not to check webpki.
1
Yes that means Google is MITM'able. That's their choice to suck. Microsoft is adopting DANE this year. It's a requirement for gov contracts in some countries. Others will follow. Google will be forced to join them at some point.
1
Show replies