
DNS-Based Authentication of Named Entities (DANE) Bindings for OpenPGP - okket
https://www.rfc-editor.org/rfc/rfc7929.txt
======
teddyh
Link with more HTML:
[https://tools.ietf.org/html/rfc7929](https://tools.ietf.org/html/rfc7929)

~~~
okket
And here with timeline etc:
[https://datatracker.ietf.org/doc/rfc7929/](https://datatracker.ietf.org/doc/rfc7929/)

All docs from the DANE working group:
[https://datatracker.ietf.org/wg/dane/documents/](https://datatracker.ietf.org/wg/dane/documents/)

------
cultureulterior
I'm still annoyed that browsers didn't start supporting DANE

~~~
jcranmer
One of the main implementors of TLS in Chrome answered why:
<[https://www.imperialviolet.org/2015/01/17/notdane.html>](https://www.imperialviolet.org/2015/01/17/notdane.html>).

It boils down to:

* Getting the DANE and DNSSEC records to the end users' machines is surprisingly difficult (they recorded 4-5% failure to lookup TXT records that they knew existed), so requiring that it be done to accept a certificate isn't going to work.

* DNSSEC uses 1024-bit RSA, which is now considered too weak to use in web browsers, and the IETF/ICANN refuse to up its security.

~~~
teddyh
> _DNSSEC uses 1024-bit RSA, which is now considered too weak to use in web
> browsers, and the IETF /ICANN refuse to up its security._

False. The root KSK is currently 2048 bits¹, and the ZSK will be changed this
year from 1024 to 2048 bits².

① [https://www.iana.org/dnssec/icann-
dps.txt](https://www.iana.org/dnssec/icann-dps.txt)

② [https://www.icann.org/en/system/files/files/ksk-rollover-
ope...](https://www.icann.org/en/system/files/files/ksk-rollover-operational-
implementation-plan-22jul16-en.pdf#22)

------
Tharkun
How is this going to make PGP easier for the average user?

~~~
divingdeer
This protocol can provide an alternative to the web of trust. The verification
method of web of trust can't be easily automated, this protocol can. For
example with this protocol an email client can lookup the matching PGP-key for
an email address. This could make everyday use easier, but people will have to
setup PGP, generate keys and then publish them. In my opinion this is still
too difficult for the average user.

