When you support DANE, you trust the various governments responsible for the various country domains to not wanting to MITM owners of said domains.
I'm sure everybody has a different subset of governments they would be putting in the "trustworthy" bucket and it's not up to the browser vendors to make a political statement there.
Browser vendors would have to trust all governments equally and AFAIK, none of them have publicly stated what their policies regarding MITMing DNSsec is, nor how well they protect their DNSsec signing keys.
CAs have to follow quite rigorous protocols if they want to be included in the browser default list and they have all financial incentives to comply.
Governments don't have to follow anything and even if they had, they have all the incentives not to comply.
This is why DANE, while otherwise sounding like a really good idea, is ultimately doomed to failure. No browser wants to take responsibility for less-than-stellarly performing governments and no browser wants to make a political statement by only supporting DANE for certain top level domains but not others.
CA model is broken (>500 of CAs, race to the bottom in terms of price, security is not a part of their business model). DANE is no better. What we really want is to be able to withdraw trust. There is no point for me to trust some Iranian CA. Why should I want to trust one? Today - I have to trust it, because you can't just remove CA without breaking a percentage of websites for you. And you can't normally erase CA from existence, because on single CA rely many customers and each of them will have broken website.
Please read about Convergence by Moxie Marlinspike. It solves the removing of trust problem.
With DANE it's immediately visible who you have to trust, and that can't easily be changed. If it's a .se domain then you know that only the Swedish govt can MITM that, with the current CA model any CA is able to authorize a MITM.
Don't use .com if you distrust them. It's still orders of magnitude better than the CA model.
The web site owner gets to choose which top domain to use and trust. It is not the end user that is supposed to value how much trust they put in each CA. That alone is the most important point right there.
This makes absolutely no sense to me. DNSSEC is a forklift upgrade of a key piece of the architecture of the Internet. We should incur that cost so that all of the most popular sites on the Internet will end up with the USG as their CA? And that's "orders of magnitude" better than what we have now?
Today, for a .com, there are a large number of CAs (let's call it 100?) that can sign a cert. Additionally the registrar or the registry (VeriSign) can change NS and DS records due to a US court order (or otherwise) and the new destination could get a domain control validated certificate.
If DANE were adopted and the current CA system abolished, then the registrar or the registry could still change the NS and DS records to takeover a domain, but that takes us from 100+ parties capable of signing a cert to 2 parties that are already part of the system.
It is. The trifecta of three letter agencies can expropirate and generate valid certificates for .com domains today. But they can't do this for most of the other TLDs.
No cryptography in the world can protect you from a fully legal domain trasfer. So, who better to be your CA than the registrar who have this power anyway?
DANE is about 500x better than the current CA model, using your estimation. All CAs are allowed to issue certificates for almost every (not entirely true, but pretty much so) domain, while only one top domain is involved in DANE trust.
I don't need to trust the Iranian top domain (which is what you mean, not "government") for all of the web that is not in .ir. I don't know about you, but 100% of my web use falls in that bucket.
And if you want to visit an .ir domain you need to trust the Iranian domain registry, independently if you use CAs, DANE or even Convergence. If they change the legitimate owner of the domain (which is what you mean here!), they can just as easily get a legitimate SSL certificate in every trust model in practical use.
(Indeed, if a legitimate owner of a domain couldn't get a legitimate certificate, there'd be no possibility to do things like rotate your keys and change your certificate. That would be an even bigger problem than broken CAs.)
So DANE makes sense. And while there are known issues with DNSSEC, trusting governments is not one of them. Not more so than with any other model.
DANE is just the hash of a site's cert stored in DNS as a TLSA record. I get that it is then signed with DNSSEC, but I don't get how this involves any governments. It's still the site operator putting the hash of their cert in the TLSA. Can you elaborate how you're 'trusting governments' when you're using DANE?
IMO it's much easier for an [NSA|GHCQ|etc] to compel a CA to give site operators broken certs than it is to deal with site operators rolling their own certs and using DNSSEC/DANE. Even if Sweden is controlling .se, example.se can create their own cert and stick its hash in their DNS. Does your model of 'trusting government' then enter into the picture because their entire domain is then signed by .se?
Suppose you could use both normal PKI + DANE ? This way you both need a signed certificate and a MITM for DNSsec.
Also in some cases, DANE is "enough". (Unless they start to MITM all websites.)
It's about users though. You do SSL for the users, not for your sake. If you as the server owner trust the government behind, say, .ch, then that's fine for you. But if browsers supported DANE, then all of the browsers users would also have to trust the government behind .ch.
Or rather: The users trust the browsers to show an SSL warning if there's an indication that the connection is being MITMd.
Today, the browsers trust (hand-picked, subjected to stringent rules) CAs to tell them whether a connection is being MITMd or not and they then tell the users.
In the case of DANE, the UI to the user is the same (Blow up or don't blow up), so the trust given by the user to the browser is also the same, but now the browsers can't rely on CAs which they control to some extent (using said rules and monetary incentives), but they must rely on governments, often without oversight or clue and with all the incentives to MITM connections.
That means that by trusting DANE, browsers force users to also trust DANE and users might not want to trust some or all of the entities behind DNSSec.
The percentage of government controlled TLDs is rapidly declining though. And making the CA an integral and evident part of the domain and url is a vast improvement to the current state of affairs.
Is the USA-controlled DNS root a problem here? Hopefully interference would require highly visible and suspicious changes to the DNS root.
I do not understand your first paragraph. If the last 5 years have demonstrated anything, it's that the US DOJ more or less controls the 3 most popular TLDs. I am not seeing the same decline in government control you do. Please be more specific?
Also: I have a really hard time seeing how baking a CA into the fabric of the Internet is a vast improvement over the current situation we have now, in which we are continually tormented by our reliance on CAs.
I meant what I said: there are 700+ TLDs listed at https://www.iana.org/domains/root/db and the percentage controlled by governments is declining - currently 297 country-code TLDs and a handful of other state controlled domains (including .com). ICANN has been giving out new top-level domains pretty generously and the vast majority of the new ones are non-state domains. Hence, the percentage of state/government controlled TLDs is declining.
No matter what the PKI system is, there will be more and less trustworthy actors around.
I agree that many state controlled TLDs are currently quite popular, but I don't see them as generally less trustworthy than the commercially operated TLDs. Both groups will contain some iffy elements, but I don't know if there's any way to build a system where iffy actors can't play. At least they can only mangle their own domains with DANE. And sounds like DNSSEC should be quite a bit more tamper-evident than our current CA sysetm.
I'm sure everybody has a different subset of governments they would be putting in the "trustworthy" bucket and it's not up to the browser vendors to make a political statement there.
Browser vendors would have to trust all governments equally and AFAIK, none of them have publicly stated what their policies regarding MITMing DNSsec is, nor how well they protect their DNSsec signing keys.
CAs have to follow quite rigorous protocols if they want to be included in the browser default list and they have all financial incentives to comply.
Governments don't have to follow anything and even if they had, they have all the incentives not to comply.
This is why DANE, while otherwise sounding like a really good idea, is ultimately doomed to failure. No browser wants to take responsibility for less-than-stellarly performing governments and no browser wants to make a political statement by only supporting DANE for certain top level domains but not others.