[dane] Google Chromium team closes DNSSEC/DANE as a WontFix
Dan York <york@isoc.org> Thu, 02 October 2014 12:09 UTC
Return-Path: <york@isoc.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03E671A1B92 for <dane@ietfa.amsl.com>; Thu, 2 Oct 2014 05:09:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.301
X-Spam-Level:
X-Spam-Status: No, score=-1.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, J_CHICKENPOX_64=0.6, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ot3ajnHGBBSO for <dane@ietfa.amsl.com>; Thu, 2 Oct 2014 05:09:17 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0078.outbound.protection.outlook.com [207.46.100.78]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B44DE1A1ADC for <dane@ietf.org>; Thu, 2 Oct 2014 05:09:06 -0700 (PDT)
Received: from BLUPR06MB243.namprd06.prod.outlook.com (10.242.191.154) by BLUPR06MB243.namprd06.prod.outlook.com (10.242.191.154) with Microsoft SMTP Server (TLS) id 15.0.1044.10; Thu, 2 Oct 2014 12:09:05 +0000
Received: from BLUPR06MB243.namprd06.prod.outlook.com ([169.254.7.32]) by BLUPR06MB243.namprd06.prod.outlook.com ([169.254.7.230]) with mapi id 15.00.1044.008; Thu, 2 Oct 2014 12:09:05 +0000
From: Dan York <york@isoc.org>
To: IETF DANE Mailinglist <dane@ietf.org>
Thread-Topic: Google Chromium team closes DNSSEC/DANE as a WontFix
Thread-Index: AQHP3jmpJRdChrQOoUuKuR51p2lBzA==
Date: Thu, 02 Oct 2014 12:09:05 +0000
Message-ID: <65B99B57-FDCB-4E0A-A65A-21F80B67C205@isoc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [74.75.92.114]
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:BLUPR06MB243;
x-forefront-prvs: 03524FBD26
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(189002)(199003)(10300001)(85306004)(76482002)(107046002)(19617315012)(20776003)(21056001)(82746002)(92566001)(16236675004)(15975445006)(110136001)(31966008)(107886001)(99396003)(101416001)(66066001)(97736003)(229853001)(85852003)(64706001)(19580395003)(120916001)(54356999)(77096002)(33656002)(4396001)(86362001)(106356001)(50986999)(2656002)(83716003)(106116001)(99286002)(87936001)(95666004)(80022003)(46102003)(92726001)(105586002)(36756003)(104396001); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR06MB243; H:BLUPR06MB243.namprd06.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
Content-Type: multipart/alternative; boundary="_000_65B99B57FDCB4E0AA65A21F80B67C205isocorg_"
MIME-Version: 1.0
X-OriginatorOrg: isoc.org
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/-VCKkEVI4wHrpWEzZKNobfSPNfQ
Subject: [dane] Google Chromium team closes DNSSEC/DANE as a WontFix
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Oct 2014 12:09:19 -0000
It seems we may not be seeing DANE / DNSSEC support in Google Chrome anytime soon. This ticket was just closed as a WontFix: https://code.google.com/p/chromium/issues/detail?id=50874#c22 As the ticket says (in part): ----- Closing this out as WontFix, as there are no plans. <snip> DNSSEC and DANE (types 2/3) do not measurably raise the bar for security compared to alternatives, and can be negative for security. DNSSEC+DANE (types 0/1) can be accomplished via HTTP Public Key Pinning to the same effect, and with a much more reliable and consistent delivery mechanism. While not desiring to stifle discussion, we've continued to evaluate the security and usability benefits and costs of DNSSEC and DANE, and will continue to do so, but for now, this is neither something we plan to implement nor would support landing. ----- Any thoughts? Dan
- [dane] Google Chromium team closes DNSSEC/DANE as… Dan York
- Re: [dane] Google Chromium team closes DNSSEC/DAN… Rene Bartsch
- Re: [dane] Google Chromium team closes DNSSEC/DAN… Viktor Dukhovni
- Re: [dane] Google Chromium team closes DNSSEC/DAN… Nico Williams