Conversation

This Tweet was deleted by the Tweet author. Learn more

Replying to

Please don't let them impose inane policies on what sort of DANE records are acceptable for web. Anything should be accepted and completely override webpki if DANE semantics say it does (DANE-EE(3) or -TA(2) vs PKIX-*(0 or 1)).

Replying to

twitter.com/DanielMicay/st are my thoughts on that. I think it's counterproductive to take an all or nothing approach. I can't see them supporting it as an alternative to WebPKI, at least on day 1. They could start in an extremely conservative, limited way that's still very useful.

This Tweet is unavailable.

Replying to

Why not? What is the risk in doing it right?

Replying to

and

DANE already lets the domain owner decide whether they want both webpki and additional DANE constraints to be checked, or only DANE. There's no risk of applying it in an unwanted way.

Replying to

They aren't going to implement it. It's very clear that it isn't going to happen. It's never going to get implemented if it's only advocated as a replacement for WebPKI instead of something usable alongside it. I want it to get implemented.

Replying to

and

Replaced those tweets with another one that's less specific about how they could address the concerns they've raised about it in the past. It can be implemented in a way that sidesteps all of their concerns and then those things can be argued over time as separate issues.

Replying to

and

I can't see them supporting it as an alternative to WebPKI in the near future. I'm trying to present an approach that meets the expectations / requirements of browser vendors.

Replying to

What does "supporting it as an alternative to WebPKI" entail? What specifically would you have them do instead?

Replying to

Support DNSSEC and verify TLSA records on top of what they already implement rather than replacing it. As long as I can pin the public keys of leaf certificates, I'll be happy. I don't care about avoiding the need to use something like Let's Encrypt. Not a hill I want to die on.

Replying to

and

I can't see them doing that, at least without adopting DANE and then figuring out what they would expect to use it as a replacement for WebPKI. For example, they're still going to want CT, and they won't want domain owners to be able to choose a mechanism that doesn't have it.

5:58 AM · Jan 5, 2021Twitter Web App