Solved

DANE and Convergence

Posted on 2016-09-02
6
58 Views
Last Modified: 2016-09-02
What exactly are the DANE (DNS-authentication of name entities) and Convergence methods and how do they work in regards to SSL certified authorities?  What issues can they resolve over from the SSL Public key infrastructure? What are some pros and cons of each method.  I cannot seems to gain a solid grasp on the DANE and how it relates to DNSSEC.
0
Comment
Question by:K K
  • 3
  • 3
6 Comments
 
LVL 38

Expert Comment

by:Adam Brown
ID: 41782398
DANE is a method of managing Certificate Trust without requiring the certificate to be generated with a trusted CA. For instance, instead of using a Third Party CA to generate a certificate, you could have any certificate generated by a CA under your control signed by a DNSSEC root authority. The general purpose of this technique is to ensure validity without requiring explicit trust in the certificate generator. DNSSEC involves generating "signing" data at the root domain (.com, .net, and .org are root domains). Additional signing data verifying the validity of a system or certificate can be added through requests by subdomain (company.com is a subdomain of .com) owners. Those owners provide information on their certificates and the systems that will use them to the root domain owners, the root domain owners verify ownership of the domain and list the information in the DNSSEC root zone for other DNS servers to read and publish. Thus, any certificate utilizing DANE can be authenticated without requiring the involvement of a third party CA's universally distributed Root CA Certificate. This allows certificate authenticity to be verified through DNS instead of with a Root CA Certificate.

The Convergence method is a more or less distributed form of Certificate authentication. It works similarly to building normal certificates, but the trust is done through the use of "Notaries". While only one CA can currently be used to generate a specific certificate, with Convergence, you could have multiple sources of trust verification. Essentially, Convergence allows certificate trust to continue functioning even if an issuing authority is compromised. Normally, if a CA is compromised, every certificate generated by that CA has to be revoked and re-issued. This is considered a single point of failure. Convergence would allow individual notaries to be revoked when compromised, without requiring revocation of all certificates using that notary.

Both solutions are not fully developed yet, and both are designed only to improve the Authenticity function of Digital Certificates (The term SSL Certificate is a misnomer. SSL uses digital certificates, but is not the only protocol that can use them. And since SSL is currently considered less secure and most websites are being encouraged to move to TLS implementations instead, calling it an SSL Certificate is not technically correct or advisable). It does not improve a Certificate's ability to encrypt data, but instead changes the way that systems verify the validity of a Digital Certificate.

Does that help clarify things a little better?
0
 
LVL 38

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41782402
I forgot to mention...There is very little support for either method at this time. DANE has support in some web browsers through add-ons. IE does not support it. Firefox does, but only with an add-on. Chrome does not support it and will not support it until DNSSec moves to something other than RSA for its signing certificates. Exchange does not support it. Some FOSS mail servers do.

Convergence has no support in any browser yet, and there are very few Notaries available.

In short, neither method is actually useful yet. They are promising solutions, but will require significantly more time and adoption before they become useful.
0
 

Author Comment

by:K K
ID: 41782407
Thank you for your explanation.  This is helpful.  However, who sets up the notaries in convergence?  Is an administrator required to oversee and how can we be assured that there will be many notaries to choose from?  For DANE it seems as the trust is left with the domain owner rather than a third party.  Isn't this still a concern for man-in-the-middle attacks?  What are some negatives for using these methods?
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Closing Comment

by:K K
ID: 41782409
Thank you for your explanation.  This is helpful.  However, who sets up the notaries in convergence?  Is an administrator required to oversee and how can we be assured that there will be many notaries to choose from?  For DANE it seems as the trust is left with the domain owner rather than a third party.  Isn't this still a concern for man-in-the-middle attacks?  What are some negatives for using these methods if they do gain traction?
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 41782460
DANE registration goes through too domain registrars, so you have to register with a company that assists in providing root DNS data, so it I still managed by a third party, but it doesn't rely on a root CA, so you can use your own certs without having to distribute your root CA cert.

Notaries are also run by third party organizations. You can register a notary, but it would have to function publicly and provide authentication data for anyone who wants to use it.

Both methods still require interaction with a third party trust provider to work, but both support verification from multiple sources.

The downside with these solutions is that they won't work if applications don't support them, and once you move over to them, you'll have no trust validity at all with when a non supporting app requests validity data with convergence. DANE will always work if you use a third party CA to create your cert, though.

To me, DANE seems most likely to have good adoption in the future because it relies on existing infrastructure and has some backward compatibility built in. Convergence will require too much investment to become viable.
0
 

Author Comment

by:K K
ID: 41782463
Thank you.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now