On Sat, Apr 10, 2021 at 12:59:34PM -0700, Michael Thomas wrote: > Let me ask a pointed question: if we used DANE+DNSSec do we have confidence > in the security of the solution? I think we'd have to have a lot of > confidence in both that they are really ready for prime time. I do, for the reasons I gave. It can't be worse than WebPKI, that's for sure. At least in a pre-post-quantum world. In a PQ world I suspect we'd want to have something more akin to a PKI + Needham-Schroeder to optimize PQ PK. I think I would prefer a single-root PKIX PKI with name constraints to DNSSEC/DANE. Perhaps we can still get that by getting registries/ registrars to operate name-constrained CAs, and replace WebPKI with a DNS-parallel PKI. But at this point DNSSEC/DANE seems much more realistic as a way to get to a single-root name constrained PKI for domainnames. Also, DNSSEC can do secure denial of existence while PKIX cannot because wheras DNSSEC is based on a directory (DNS), x.509/PKIX, though it was meant to be used with directories (DAP) doesn't really have a viable global directory scheme (imagine using LDAP as we use DNS!), and doesn't have a directory that can do secure denial of existence either. Nico --
