Re: debcheckroot v2.0 released

To: debian-security@lists.debian.org
Subject: Re: debcheckroot v2.0 released
From: "Niall O'Reilly" <Niall.oReilly+lists@no8.be>
Date: Thu, 02 Apr 2020 17:16:25 +0100
Message-id: <[🔎] 8F184E60-9E81-49B1-8896-96F61ED5A338@no8.be>
In-reply-to: <[🔎] CAKTje6GB+i5GNqhVq3+xzx17e5Dpp=RcwwSuMeY9o954XG+ioA@mail.gmail.com>
References: <b2489138-53ee-e747-31cc-cdce48339dbe@zoho.com> <86cdcb82-770e-c1a2-71e4-12347193b66a@gmail.com> <ebe26c79-2d4d-0df0-ff19-05f46f3cca58@riseup.net> <b96c241b-3023-54c9-4703-1ca59a8ad8a9@gmail.com> <CAO1P-kBxPFX_s7VVH=K6fO=oh6H2FLiMdv_txdwkXCf-8ydPcg@mail.gmail.com> <e0b57757-da9a-1824-149f-9f49c9312515@gmail.com> <46c05a86-1c2d-436a-a37d-5cca18a68bcf@gmail.com> <39e4e14a-26e1-be1c-7108-3824d32e28a1@gmail.com> <e0b4b492-afa2-7ee1-cb0f-12f887f1a9e2@gmail.com> <2e13d71d-f29b-3cb2-4147-5fcf9c8c6a3e@gmail.com> <2a3b7e9a-d483-e4c8-8761-6803b6faf011@gmail.com> <CAKTje6ExBrtZoW+J-pdDW2+r3EJV0dVjVyakTSNfz2WUs+EOVw@mail.gmail.com> <CAKTje6HY-+tAeDkcSZyHdBKKWk1AiSaVr2jQuFhobuiTgtuCxA@mail.gmail.com> <4d768eaf-4b60-c060-3e68-7bfcbaa334aa@elstel.org> <a96c3b9cbc6df435b6a1c6bc1e20eb2c21f8f524.camel@debian.org> <1f279581-fd7b-b054-013c-d0a527db59e0@elstel.org> <c0c4f2eb10e435f81f3ba8f1cd5e7c1fe9391500.camel@debian.org> <e5906e91-201e-6b91-5fad-b60b4ce33180@elstel.org> <[🔎] b74b1527-d500-6939-2a36-5361deeb5973@vheuser.com> <[🔎] CAKTje6GB+i5GNqhVq3+xzx17e5Dpp=RcwwSuMeY9o954XG+ioA@mail.gmail.com>

Hello.

On 2 Apr 2020, at 0:57, Paul Wise wrote:

> Support for DANE is never going to happen for the web (given the
> opinions of the major browser makers) and it could disappear in other
> upstream projects as the popularity of DoH/DoT and other things in the
> DNS space eclipse DANE/DNSSEC.

I'm surprised by the second part of this statement, "and it
could disappear [...] as [...] other things [...] eclipse
DANE/DNSSEC."

DoH and DoT provide an encrypted query/response channel from the
client to the resolver. DNSSEC provides an assurance that the
resolver is not spoofing response data. DANE builds on DNSSEC
to protect against a compromised (or even rogue) CA certifying
an impostor instead of the legitimate operator of a service.

These are complementary protections against corresponding
distinct threats, not competing solutions to the same problem.

Best regards,

Niall O'Reilly

Reply to:

References:
- Re: debcheckroot v2.0 released
  - From: "vince@vheuser.com" <vince@vheuser.com>
- Re: debcheckroot v2.0 released
  - From: Paul Wise <pabs@debian.org>

Prev by Date: Re: debcheckroot v2.0 released
Next by Date: Re: debcheckroot v2.0 released
Previous by thread: Re: debcheckroot v2.0 released
Next by thread: Re: debcheckroot v2.0 released
Index(es):
- Date
- Thread