Now that HPKP is removed, browsers should do what they should have done from the beginning by supporting DNSSEC and DANE as a pinning mechanism. No need to support using it as an alternate root of trust. For compatibility can limit it to when DoT or DoH are being used by default.
Conversation
This Tweet was deleted by the Tweet author. Learn more
Replying to
Please don't let them impose inane policies on what sort of DANE records are acceptable for web. Anything should be accepted and completely override webpki if DANE semantics say it does (DANE-EE(3) or -TA(2) vs PKIX-*(0 or 1)).
3
Replying to
twitter.com/DanielMicay/st are my thoughts on that. I think it's counterproductive to take an all or nothing approach. I can't see them supporting it as an alternative to WebPKI, at least on day 1.
They could start in an extremely conservative, limited way that's still very useful.
This Tweet is unavailable.
1
DANE already lets the domain owner decide whether they want both webpki and additional DANE constraints to be checked, or only DANE. There's no risk of applying it in an unwanted way.
1
Replying to
They aren't going to implement it. It's very clear that it isn't going to happen. It's never going to get implemented if it's only advocated as a replacement for WebPKI instead of something usable alongside it. I want it to get implemented.
2
Replaced those tweets with another one that's less specific about how they could address the concerns they've raised about it in the past. It can be implemented in a way that sidesteps all of their concerns and then those things can be argued over time as separate issues.
1
I can't see them supporting it as an alternative to WebPKI in the near future. I'm trying to present an approach that meets the expectations / requirements of browser vendors.
2
Replying to
What does "supporting it as an alternative to WebPKI" entail? What specifically would you have them do instead?
1
Replying to
Support DNSSEC and verify TLSA records on top of what they already implement rather than replacing it. As long as I can pin the public keys of leaf certificates, I'll be happy. I don't care about avoiding the need to use something like Let's Encrypt. Not a hill I want to die on.
I can't see them doing that, at least without adopting DANE and then figuring out what they would expect to use it as a replacement for WebPKI. For example, they're still going to want CT, and they won't want domain owners to be able to choose a mechanism that doesn't have it.