[HTTPS-Everywhere] HTTPS Everywhere is unscalable (uses central database)
Phil Vandry
vandry at TZoNE.ORG
Fri Apr 29 14:56:01 PDT 2011
Hi Seth,
Thanks for your comprehensive answer.
On 2011-04-29 13:25, Seth David Schoen wrote:
> I don't know what the best place to work on that standardization
> right now is, but we can ask Jeff Hodges. Right now there is a
> standards effort at IETF called DANE to put TLS information into
> DNSSEC, but their focus is on presenting cryptographic keys and not
...and that work is definitely important. I believe Dan Kaminsky was
the first to publically talk about the essential idea behind DANE.
> TLS".) The most relevant standard to doing what you describe is
> called HSTS but it's currently only carried in-band in HTTPS, not
> over DNSSEC. Everyone working on it has understood that it needs to
> be carried out-of-band eventually.
In that case I will keep an eye on HSTS development and I'm glad to know
the people working on it foresee the need to make it out-of-band.
I should say that I do understand that DNSSEC is insufficiently deployed
at the moment (both in terms of signed zones and in terms of validating
resolvers) to widely rely on it for either DANE or a future out-of-band
HSTS.
-Phil
More information about the HTTPS-everywhere
mailing list