[jdev] https://github.com/stpeter/manifesto and additional ideas

Dave Cridland dave at cridland.net
Thu Nov 14 17:07:51 UTC 2013

On Thu, Nov 14, 2013 at 4:34 PM, Ralf Skyper Kaiser <skyper at thc.org> wrote:

> Pinning does not require a CA at all (private or public). Why use a
> feature (DANE) that requires a CA if it is possible to have the same level
> of security with Pinning; which requires no CA, works well with self-signed
> certificates, requires no infrastructure upgrade and which puts the direct
> trust into the hands of the server-admins?
I may regret asking, but how do you see this working with federation?

So each server presumably makes an unattended leap-of-faith in order to get
your pinning info, and then every server has to store the pinning info for
every other server they ever contact?

If the certificate was *also* signed by a CA, you'd at least limit the
initial LoF, and protect yourself against subsequent CA compromise - which
is basically the attack that Perrin et al consider. I hold that DANE
provides security against *initial* CA compromise as well, and obviates the
need to pinning as such - it certainly requires an infrastructure upgrade,
but provides a security upgrade as well.

As such, I suspect your quote above has several flaws:

a) DANE does not require a CA.

b) DANE does work with self-signed certificates.

c) DANE provides a higher level of security compared to mere pinning.

d) DANE also puts direct trust into the hands of the service admin.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20131114/70308bef/attachment.html>

More information about the JDev mailing list