That's funny, I used to keep a similar blog on my experience on Microsoft's Cloud. On Thumblr instead of Mastodon. Precously submitted to HN: https://hackertimes.com/item?id=12788098
The way that we deal with CAs now developed so much after these issues were disclosed.
It is actually adding to my argument. The NSA and any other government entities REALLY WANT to control these certificates. However, our interaction with CAs became much more secure now because we learned and developed things like CT logs. Major browsers are removing entire CAs from their trust store if shady stuff happens ASAP. You can’t do the same with TLDs. This argument is made frequently on here, why would you even want to propose to regress into stuff like DANE…? DNS servers are such a bad trust anchor, if you could even call it a trust anchor at all.
If you want to discuss further, I ask you to stay on topic instead of name calling.
Well, roughly 30% globally and 60% in my country (The Netherlands) where the government mandates it for governmental systems. Source: https://stats.labs.apnic.net/dnssec
I really hope DANE will become more popular (and widely supported) some time. Works great on air gapped networks without the need for a publicly trusted CA or Let's Encrypt. No ACME daemon to monitor, just put your public key in a DNS record an forget about it.
I've usually seen DANE paired with DNSSEC, and on the internet it feels required. DANE on an air gapped network is new to me, do you just skip the DNSSEC part? I'd be fearful of joining a network that puts bogus DANE TLSA records for google.com, for example.
You're right that DANE kind of implies DNSSEC. Technically it can go without, but it's quite pointless to do because you cannot trust your TLSA record without DNSSEC.
DNSSEC works in an air gapped network when you deploy your own trust anchor in your DNS. I wouldn't touch a domain name that you don't own yourself (like google.com) but instead only use a domain name you purchased.
It surprises me that DANE is even listed on caniuse.com! I expected it to be way to exotic to be on that list. I'm under no illusion that browsers are going to support this anytime soon unfortunately.
Now let's hope I didn't wake up tptacek to lecture us on how DNSSEC is bad and how it will eat your children. ;)
They did not reinvent the wheel here. This is just the SAML 2.0 standard. The only consequence of launching this product is that there is another competitor on the SSO market, which is a good thing I think.
Technically true. But when it comes to writing a website, do you plan to add "SAML 2.0 auth" or "Google SSO, Facebook SSO, Amazon SSO"? I think all need to be configured, tested and debugged, even if they are based on the same communication protocol.
