> Chrome found that the Internet as it actually exists, with a diversity of broken middleboxes, made DANE impossible to deploy effectively. You can't count on DANE lookups succeeding, because middleboxes shoot down DNSSEC lookups, which look weird compared to ordinary lookups.
Yikes!
> It's worth keeping in mind that proof of domain ownership doesn't have to depend on the DNS; you can also just ask registrars directly, via something like RDAP. If we're going to keep pinning Internet trust to name ownership, there's probably no reason we have to involve the DNS at all.
Do you think this would be useful? I'm not part of the Let's Encrypt team anymore, but I still know almost all of them (but, to my knowledge, nobody from any registrars).
I've kind of wished for something like this in the past (on the basis that it would obviate other kinds of attacks against the domain validation process, such as routing or DNS attacks), but I'm not sure what the user interaction flow would look like, or whether it could be made compatible with Let's Encrypt's desire to automate almost all certificate issuance and renewal steps.
It seems like maybe the registrars would have to give out proof-of-ownership RDAP challenge API credentials (that a server could use to ask the registrar to serve a particular value via RDAP?).
From an absolute security perspective, I'm not sure I see how RDAP is much better than a DNS/DNSSEC-based solution, but if you can make RDAP work, you can get most (maybe more!) of the purported benefit of DNSSEC (vis a vis the WebPKI) with a tiny number of deployments, compared to the billions (I think, if you do the math over, say, 10 years, assuming wide deployment --- which won't happen, but, arguendo --- you can get there) we'll spend on DNSSEC...
Yikes!
> It's worth keeping in mind that proof of domain ownership doesn't have to depend on the DNS; you can also just ask registrars directly, via something like RDAP. If we're going to keep pinning Internet trust to name ownership, there's probably no reason we have to involve the DNS at all.
Do you think this would be useful? I'm not part of the Let's Encrypt team anymore, but I still know almost all of them (but, to my knowledge, nobody from any registrars).
I've kind of wished for something like this in the past (on the basis that it would obviate other kinds of attacks against the domain validation process, such as routing or DNS attacks), but I'm not sure what the user interaction flow would look like, or whether it could be made compatible with Let's Encrypt's desire to automate almost all certificate issuance and renewal steps.
It seems like maybe the registrars would have to give out proof-of-ownership RDAP challenge API credentials (that a server could use to ask the registrar to serve a particular value via RDAP?).