Re: Thunderbird and end-to-end email encryption – should this be a priority?

Nomis101 Nomis101 at
Mon Aug 31 19:36:20 UTC 2015

Am 31.08.15 um 15:06 schrieb Joshua Cranmer 🐧:
> On 8/30/2015 3:32 AM, Nomis101 wrote:
>> If we are talking about secure email, a question I long asked myselfe
>> is, why is mozilla not finishing the implementation of DNSSEC/DANE?
>> There are only half-ready patches on Bugzilla. There are some email
>> servers supporting this allready [1].
> <> (written by a 
> Chrome developer, but still more or less the same arguments apply). 
> Basically:
> 1. DNSSEC uses 1024-bit RSA everywhere, where browsers/CAs are trying to 
> rip that out.
> 2. DNSSEC still has some problems getting to clients in certain networks 
> (primarily mobile ones is my understanding).
> 3. Given #2, requiring DANE records to validate SSL certificates is 
> untenable to roll out. The other security gains from DANE are rather 
> suspect--it's vulnerable to downgrade attack, pinning is already 
> possible in HTTP, and DNS is rather poorly audited compared to most CAs.
OK, thanks for the informative link. But on the other hand, /with DPRIVE
and DANE and DNSSEC //you're creating the next generation of DNS step by
step/ [1]


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the tb-planning mailing list