Re: Thunderbird and end-to-end email encryption – should this be a priority?
Nomis101 at web.de
Mon Aug 31 19:36:20 UTC 2015
Am 31.08.15 um 15:06 schrieb Joshua Cranmer 🐧:
> On 8/30/2015 3:32 AM, Nomis101 wrote:
>> If we are talking about secure email, a question I long asked myselfe
>> is, why is mozilla not finishing the implementation of DNSSEC/DANE?
>> There are only half-ready patches on Bugzilla. There are some email
>> servers supporting this allready .
> <https://www.imperialviolet.org/2015/01/17/notdane.html> (written by a
> Chrome developer, but still more or less the same arguments apply).
> 1. DNSSEC uses 1024-bit RSA everywhere, where browsers/CAs are trying to
> rip that out.
> 2. DNSSEC still has some problems getting to clients in certain networks
> (primarily mobile ones is my understanding).
> 3. Given #2, requiring DANE records to validate SSL certificates is
> untenable to roll out. The other security gains from DANE are rather
> suspect--it's vulnerable to downgrade attack, pinning is already
> possible in HTTP, and DNS is rather poorly audited compared to most CAs.
OK, thanks for the informative link. But on the other hand, /with DPRIVE
and DANE and DNSSEC //you're creating the next generation of DNS step by
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the tb-planning