Now that HPKP is removed, browsers should do what they should have done from the beginning by supporting DNSSEC and DANE as a pinning mechanism. No need to support using it as an alternate root of trust. For compatibility can limit it to when DoT or DoH are being used by default.
Conversation
This Tweet was deleted by the Tweet author. Learn more
Replying to
Please don't let them impose inane policies on what sort of DANE records are acceptable for web. Anything should be accepted and completely override webpki if DANE semantics say it does (DANE-EE(3) or -TA(2) vs PKIX-*(0 or 1)).
3
Replying to
twitter.com/DanielMicay/st are my thoughts on that. I think it's counterproductive to take an all or nothing approach. I can't see them supporting it as an alternative to WebPKI, at least on day 1.
They could start in an extremely conservative, limited way that's still very useful.
This Tweet is unavailable.
DANE already lets the domain owner decide whether they want both webpki and additional DANE constraints to be checked, or only DANE. There's no risk of applying it in an unwanted way.
1
Show replies