Re: Security for various IETF services

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10 April 2014 16:37, Dave Cridland <dave@xxxxxxxxxxxx> wrote:
On 10 April 2014 11:47, Dave Crocker <dhc@xxxxxxxxxxxx> wrote:
On 4/9/2014 3:36 PM, Dave Cridland wrote:
DNSSEC, and DANE, allow you to provide a "Domain Validated" public key,
much like the cheap/free certificates currently available from CAs, but
more reliably and simply. I think the same level of trust is there
either way, except that the cheap/free CA certs are very weakly
validated in practise.


What deployment and use has DANE achieved, so far?


Like all new security technology it's slow going. In the DANE case, we're obviously limited by the deployment of DNSSEC itself as well.

Within the XMPP community, which is really the only place I'm able to track, https://xmpp.net/stats.php will

not, because I'm an idiot who didn't check the URI he typed, but https://xmpp.net/reports.php will
 
give you the live information, but to save you looking, the percentages are still pretty low. 83 sites out of 3283, so about 2.5%, support DANE. 6.3% deploy DNSSEC signed SRV records. We have, on those servers tested, 100% TLS deployment, but only about 49.4% of those use trusted certificates (there's a lot of CACert.org which are considered untrusted here).

Given that DANE itself is not yet fully specified for XMPP, and is less than two years old, I think this is reasonable traction.

These stats are gathered and maintained by Thijs Alkemade's excellent software, by the way, I don't mean to take any credit for this. I just read 'em.

Dave.


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]