Author: Rick Wesson 2011-12-19 15:35:51
Published on: 2011-12-19T15:35:51+00:00
This document addresses the issues that TLS and DTLS protocols face in using PKIX certificates for authenticating servers. TLSA provides bindings of keys to domains, which are asserted not by external entities but by the entities that operate the DNS. DANE leverages DNSSEC, making it a better option to trust over HTTPS. However, implementing DANE requires leveraging DNSSEC to bind the self-signed certificate using DANE, and if one is going to rely on DNSSEC for DANE to support HTTPS, it makes more sense to publish identifiers and secure the zone via DNSSEC and link in a stub resolver in the client.In this context, there is a discussion around the problems with HTTPS, as multiple CAs have been strong-armed by governments or tricked into issuing fake certificates by scammers. It is suggested that the problem is outside the remit of Bitcoin to solve. There is also a proposal to be stricter about which CA certificates are trusted by the Bitcoin client and restrict them to those who have demonstrably good practices for verifying identity, rather than relying on the pre-installed trust in browsers.
Updated on: 2023-06-04T21:52:15.015964+00:00