Difference between revisions of "X.509+DNSSEC+DANE+CAA"

From The Hive
m (Justina moved page X.509+DNSSEC+CAA to X.509+DNSSEC+DANE+CAA: DANE)
 
Line 9: Line 9:
 
https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions
 
https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions
  
=== DNS-based Authentication of Named Entities ===
+
== DNS-based Authentication of Named Entities ==
 
A system called [https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities DANE] was proposed in [https://tools.ietf.org/html/rfc6698 RFC 6698] "as a way to authenticate TLS client and server entities without a certificate authority (CA)," but it has never been very widely deployed.
 
A system called [https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities DANE] was proposed in [https://tools.ietf.org/html/rfc6698 RFC 6698] "as a way to authenticate TLS client and server entities without a certificate authority (CA)," but it has never been very widely deployed.
  
The use of a CA or "commercial" certificate does not exclude the use of DANE, of course. If you enable DNSSEC on your domain, there should be no reason that you cannot authorize your current "commercial" X.509 certificate via DANE, as well, independently of any commercial certification.
+
The use of a CA or "commercial" certificate does not exclude the use of DANE, of course. If you enable DNSSEC on your domain, there is no reason why you cannot authorize your current "commercial" X.509 certificate via DANE, as well, independently of any commercial certification.
  
 
== Certification Authority Authorization ==
 
== Certification Authority Authorization ==

Latest revision as of 20:32, 11 February 2020

X.509 for SSL and TLS

The "certificates" that identify a website for "https" secure browsing.

Other tools exist to strengthen security and domain ownership beyond "commercial certs" offered by common vendors.

Domain Name System Security Extensions

https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions

DNS-based Authentication of Named Entities

A system called DANE was proposed in RFC 6698 "as a way to authenticate TLS client and server entities without a certificate authority (CA)," but it has never been very widely deployed.

The use of a CA or "commercial" certificate does not exclude the use of DANE, of course. If you enable DNSSEC on your domain, there is no reason why you cannot authorize your current "commercial" X.509 certificate via DANE, as well, independently of any commercial certification.

Certification Authority Authorization

Somewhat as an alternative or adjunct to DANE, a much simpler system known as CAA was developed, with the advantage that CAA does not require DNSSEC as an absolute dependency for deployment.

https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization