dnssec-trigger + GNOME + NetworkManager integration

Michael Catanzaro mcatanzaro at gnome.org
Fri Jul 3 16:02:17 UTC 2015


On Fri, 2015-07-03 at 11:21 -0400, Mike Pinkerton wrote:
> Isn't the whole point to eliminate the need for third party  
> certificate authorities entirely?

Well I think you could choose to do that, or you could choose to use it
as an additional security measure on top of traditional certificate
authorities.

> Just to clarify what you are saying -- if there is a third party  
> certificate chain which fails, then you would distrust the site.  But
>   
> if there is no third party certificate authority chain, and DANE  
> succeeds, then you would accept the DANE-provided certificate and  
> trust the site.

I was thinking to require both to work, instead of just one or the
other. Seems like that would make life hardest for the attacker.
Anyway, we'll probably wait for some major browser to use DANE first
(probably won't be Chrome [1]) and then copy what they do for GNOME.

Michael

[1] https://www.imperialviolet.org/2015/01/17/notdane.html


More information about the devel mailing list