
DANE is a protocol that enables verified TLS connections without CAs - danezz
http://wiki.halon.io/DANE
======
tptacek
And all you have to do to use it is sign up for a PKI controlled by the United
States Government! What a deal!

------
cryptbe
Crypto as I know it doesn't allow performing an authenticated key exchange
between two entities without neither a pre-shared secret nor a trusted third
party (CA) [1]. Anyone who promises anything like that is either selling
snake-oil or hiding some requirement. DANE still requires trusted third
parties, I'm not sure why it's better than the current model.

[1] There's
[https://en.wikipedia.org/wiki/Merkle%27s_Puzzles](https://en.wikipedia.org/wiki/Merkle%27s_Puzzles),
but it's not really practical when you make it secure and not secure when you
make it practical.

~~~
sargun
It requires the trust of the DNS roots. Which is pretty neat actually:
[http://www.root-dnssec.org/](http://www.root-dnssec.org/)

And it requires your registrar to not try to perform a malicious attack
against you. But at that point, most registrars already have access to a root
CA, and your domain - they could easily break your environment.

------
devnull42
I have been working with this for quite some time now. I was pretty surprised
to see this on HN as news.

