undefined

points

[-]

> Interests of the existing PKI industry may be the source of some friction, but the bigger issue is that DANE depends on DNSSEC, which is not widely deployed, and sometimes actively avoided due to its complexity and ease of breaking you site.

I have a feeling it is "actively avoided" because vendors don't want to lose control of the cert ecosystem. Allowing user to just generate a domain for themselves means it will never get logged in central log and so can't be automatically found by crawlers by the big guys

by Parodper1 hours ago|

parent|

[-]

> Allowing user to just generate a domain for themselves

That's limited mostly by policy[1], the current PKI environment already allows delegating CA for a single domain.

[1] https://community.letsencrypt.org/t/sub-ca-with-wildcard-cer...

by xorcist2 hours ago|

parent|

prev|

[-]

This is public data so the big guys could absoltely crawl it. But we should not underestimate the size of the PKI industry, several large actors make good living from the existing web PKI and they will not change unless their very existence is threatened.

by jeroenhd2 hours ago|

prev|

[-]

If DANE were to roll out to browsers, I think plenty of people would rather use it than centralizing on Let's Encrypt.

DNSSEC isn't easy, but either is certbot. DNSSEC also isn't that hard if you're not self-hosting your DNS servers (and even then it's easy if you pick a modern DNS server).

Most domains seem to use their registrars free DNS servers. For those domains, DNSSEC is often just a checkbox. I just activated DNSSEC on three domains by hitting that checkbox. A certbot-style tool can use the same API many existing certbot plugins already provide access to for setting up DANE.

However, until browsers actually implement DANE, it's pretty useless. I know some people use it for mail servers (for some reason, don't see why they can't use Let's Encrypt for that) but even there it's optional.