It hardly takes a lot of resources, especially for a clean / simple setup. I would expect that the complexity of the setup reflects the resources of the organization and if there's an over-engineered sprawling mess that's a whole separate problem. How are they going to use DANE?
Conversation
If someone can set up DANE, they're in a position to audit CT logs for certificates issued with the wrong key. As I mentioned earlier, I don't see why these things are presented as alternatives when they work fine alongside each other. Doing both is the most practical / secure.
3
DANE is utterly trivial to setup. If anything it's harder for big orgs that have large legacy DNS setups not amenable to DNSSEC (ie Google).
1
I don't disagree with you about DANE being a better approach and easy to setup. I just think that Web PKI has both practical value (dealing with anyone not using DANE) and actual value via CT which can also be considered to place a check on registrars too, not just CAs.
3
I think we've talked about this before and you seem to be misunderstanding my position this time. I don't see a reason not to set up both since it's easy. Can reuse the key when getting a new certificate with LE and now there's actually a verifiable audit trail for certificates.
2
Trusting LE certificates is strictly weaker than DANE. Do you audit the CT logs looking for unexpected certs for your domain? Are you paying someone to do it? How can they tell which certs are legitimate? ... I see lots of smoke and mirrors.
[Yes, it works for Google et. al.]
2
> Trusting LE certificates is strictly weaker than DANE.
It's not and I never said anything about not using DANE.
> Do you audit the CT logs looking for unexpected certs for your domain?
Yes.
> Are you paying someone to do it?
A script is doing it.
1
Parsing the CT logs has an n^2 cost. Every domain has to read every cert. It only works at scale if the "monitors" are a centralized service you query (and pay). It works now only because almost nobody (tiny fraction) is checking.
1
1
From the perspective of CT logs where n is the number of sites? I don't really see the problem since it just involves serving static files that can be cached and distributed. The `n` is the number of people hosting sites which for that usage is not really a large number.
I don't really want to argue about this anymore right now - I don't think we disagree that much and it's counterproductive for you to spend your time arguing with me when I support and use DANE and DNSSEC. I just also set up MTA-STS for practical reasons and see value in CT.
1
1
Can't do a good job having a technical discussion like this right now especially when it feels like an argument. Having trouble with people doing stuff to harm me right now and don't want to argue with someone who supports me about something we barely disagree on right now.
1
1
Show replies