How can we improve the Microsoft Edge developer experience?

Support certificate validation using DANE (RFC 6698)

DNS-based Authentication of Named Entities (DANE) complements and sometimes replace the current trust model for certificates. Since it is based on the hierachical DNSSEC system, it doesn't have the flaw of having numerous (and sometimes a bit untrustworthy) certificate authorities all able to issue certificates for any domain. By making CAs unnecessay for domain-only certificates, it would shift their market to providing more reliable validation of additional information, such as who is the owner of the domain.

36 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Lionel Fourquaux shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    1 comment

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Alice Wonder commented  ·   ·  Flag as inappropriate

        Please PLEASE support DANE. There is already partial support in FireFox via an add-on, though it is not developed by Mozilla.

        For me, I use DANE as a form of two-factor authentication for my TLS certificates. All my DNS servers use DNSSEC and all my TLS certificates do have TLSA records in DNS but I do not see DANE as replacing certificate authorities, as a user I like two forms of authentication from websites. The trusted CA is one form, the fingerprint in a DNSSEC signed TLSA record is the second form.

        DANE is better than HPKP for this because HPKP records are not signed, making them Trust On First Use. I prefer Validate On Every Use which is what DANE does for me.

        Thank you for your time.

      Feedback and Knowledge Base