Now that HPKP is removed, browsers should do what they should have done from the beginning by supporting DNSSEC and DANE as a pinning mechanism. No need to support using it as an alternate root of trust. For compatibility can limit it to when DoT or DoH are being used by default.
Conversation
Replying to
If an attacker controls the DNS records, they can get a DV certificate. Only supporting using it for pinning would be fine. It isn't mandatory to use it as a replacement for WebPKI. I don't expect browser vendors to do that. They can implement a subset they consider appropriate.
1
2
WebPKI enforced requirements for supported algorithms, key sizes, Certificate Transparency via Signed Certificate Timestamps (SCTs), etc. would remain the same.
If at a later point they decided to offer an alternative to CAs instead of only supporting pinning, that's an option.
3
This Tweet was deleted by the Tweet author. Learn more
This Tweet was deleted by the Tweet author. Learn more
Show replies