Difference between revisions of "X.509+DNSSEC+DANE+CAA"

From The Hive
(create article)
 
Line 8: Line 8:
  
 
https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions
 
https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions
 +
 +
A system called [https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities DANE] was proposed in [https://tools.ietf.org/html/rfc6698 RFC 6698] "as a way to authenticate TLS client and server entities without a certificate authority (CA)," but it was never widely deployed. An alternative known as [https://www.farsightsecurity.com/txt-record/2017/08/25/stsauver-caa-records-farsight/ CAA] was developed, with the advantage that [https://www.rfc-editor.org/rfc/rfc8659.html CAA] does not ''require'' DNSSEC as an absolute dependency for deployment.
  
 
== Certification Authority Authorization ==
 
== Certification Authority Authorization ==
  
 
https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization
 
https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization

Revision as of 00:56, 6 February 2020

X.509 for SSL and TLS

The "certificates" that identify a website for "https" secure browsing.

Other tools exist to strengthen security and domain ownership beyond "commercial certs" offered by common vendors.

Domain Name System Security Extensions

https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions

A system called DANE was proposed in RFC 6698 "as a way to authenticate TLS client and server entities without a certificate authority (CA)," but it was never widely deployed. An alternative known as CAA was developed, with the advantage that CAA does not require DNSSEC as an absolute dependency for deployment.

Certification Authority Authorization

https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization