Conversation

Replying to

If someone can set up DANE, they're in a position to audit CT logs for certificates issued with the wrong key. As I mentioned earlier, I don't see why these things are presented as alternatives when they work fine alongside each other. Doing both is the most practical / secure.

3

Replying to

and

DANE is utterly trivial to setup. If anything it's harder for big orgs that have large legacy DNS setups not amenable to DNSSEC (ie Google).

1

Replying to

and

I don't disagree with you about DANE being a better approach and easy to setup. I just think that Web PKI has both practical value (dealing with anyone not using DANE) and actual value via CT which can also be considered to place a check on registrars too, not just CAs.

3

Replying to

and

I think we've talked about this before and you seem to be misunderstanding my position this time. I don't see a reason not to set up both since it's easy. Can reuse the key when getting a new certificate with LE and now there's actually a verifiable audit trail for certificates.

2

Viktor Dukhovni

Replying to

and

Trusting LE certificates is strictly weaker than DANE. Do you audit the CT logs looking for unexpected certs for your domain? Are you paying someone to do it? How can they tell which certs are legitimate? ... I see lots of smoke and mirrors. [Yes, it works for Google et. al.]

2

Replying to

and

> Trusting LE certificates is strictly weaker than DANE. It's not and I never said anything about not using DANE. > Do you audit the CT logs looking for unexpected certs for your domain? Yes. > Are you paying someone to do it? A script is doing it.

1

Viktor Dukhovni

Replying to

and

Parsing the CT logs has an n^2 cost. Every domain has to read every cert. It only works at scale if the "monitors" are a centralized service you query (and pay). It works now only because almost nobody (tiny fraction) is checking.

1

1

Replying to

and

Need to read every certificate once, not repeatedly.

1

Replying to

and

O(n²) for whole internet not single site.

1

1

Replying to

and

From the perspective of CT logs where n is the number of sites? I don't really see the problem since it just involves serving static files that can be cached and distributed. The `n` is the number of people hosting sites which for that usage is not really a large number.

1

Replying to

and

I don't really want to argue about this anymore right now - I don't think we disagree that much and it's counterproductive for you to spend your time arguing with me when I support and use DANE and DNSSEC. I just also set up MTA-STS for practical reasons and see value in CT.

10:07 PM · May 4, 2020Twitter Web App

Replying to

and

Can't do a good job having a technical discussion like this right now especially when it feels like an argument. Having trouble with people doing stuff to harm me right now and don't want to argue with someone who supports me about something we barely disagree on right now.

1

1

Replying to

and

That's a very very reasonable attitude to take. I'm happy not to argue over this.

1