At the RSA Security conference this week, a panel of CAs and researchers discussed ideas that could help shore up the system of awarding SSL certificates.
DANE Leverages DNS
Yngve Pettersen, a software developer and security specialist for TLS Prober Labs, mentioned an approach known as DANE (DNS-based Authentication of Named Entities). DANE is defined by the IETF (Internet Engineering Task Force) 6698 RFC and leverages the DNS to validate the integrity of an SSL certificate. More specifically, DANE requires that DNSSEC is implemented on a DNS server, providing an additional layer of integrity to domain name information.
“DANE allows the owner of a domain to signal which site certificate can be used, which CAs can be used and which public keys can be used for a given host in a domain,” Pettersen said.
However, one issue with DANE that Pettersen highlighted is the fact that it’s not clear how effective certificate revocation would be handled.