Now that HPKP is removed, browsers should do what they should have done from the beginning by supporting DNSSEC and DANE as a pinning mechanism. No need to support using it as an alternate root of trust. For compatibility can limit it to when DoT or DoH are being used by default.
Conversation
This Tweet was deleted by the Tweet author. Learn more
Replying to
Please don't let them impose inane policies on what sort of DANE records are acceptable for web. Anything should be accepted and completely override webpki if DANE semantics say it does (DANE-EE(3) or -TA(2) vs PKIX-*(0 or 1)).
3
Replying to
twitter.com/DanielMicay/st are my thoughts on that. I think it's counterproductive to take an all or nothing approach. I can't see them supporting it as an alternative to WebPKI, at least on day 1.
They could start in an extremely conservative, limited way that's still very useful.
This Tweet is unavailable.
1
DANE already lets the domain owner decide whether they want both webpki and additional DANE constraints to be checked, or only DANE. There's no risk of applying it in an unwanted way.
1
Replying to
They aren't going to implement it. It's very clear that it isn't going to happen. It's never going to get implemented if it's only advocated as a replacement for WebPKI instead of something usable alongside it. I want it to get implemented.
Replaced those tweets with another one that's less specific about how they could address the concerns they've raised about it in the past. It can be implemented in a way that sidesteps all of their concerns and then those things can be argued over time as separate issues.
1
I can't see them supporting it as an alternative to WebPKI in the near future. I'm trying to present an approach that meets the expectations / requirements of browser vendors.
2
Show replies
Replying to
It's advocated to serve whichever mode the site owner wants. But since you need compat with legacy browsers, you need webpki-valid certs for forseeable future anyway, and thus modes 2/3 are effectively same as 0/1..
1
However this does not justify having a nonconforming validation rule in browsers for modes 2/3. They should apply it as specified.