You are here :
DANE
DANE (DNS-based Authentication of Named Entities) is an authentication technique for digital certificates using the DNS architecture.
Context
On 15 March 2011, Comodo a leading supplier on the X.509 certificates market discovered that one of its affiliates was compromised by an attacker who created an user account with them . By using this account, the attacker created a "Certificate Signing Request (CSR)" to several of the most important website such as login.live.com, mail.google.com, login.yahoo.com etc.
While many thought that the attack was an isolated case, four months later another CA, DigiNotar was attacked. The attacker who compromised Comodo in March claimed the attack on DigiNotar. Although there is no evidence that both the attacks were done by the same person, the fact any attacker who was able to find a way into any of the CA or its affiliates were capable of compromising all the clients.
These incidents have accelerated the call to reassess PKIX either by reinforcing the existing CA infrastructure or identifying a different mechanism. It is in this context that AFNIC has started working on DANE
Work descriptionDANE (DNS-based Authentication of Named Entities) is an authentication technique for digital certificates using the DNS architecture.
The main objective of the DANE project at Afnic was to:
-
Establish a "Proof of Concept" which demonstrates the use of DANE protocol via a web browser.
-
Post a reference material in the form of tutorial that could help understanding the DANE protocol by a wider audience;
-
Improve the know-how internally at AFNIC in the Internet infrastructure security domain.
We analyzed existing proposals to strengthen the PKIX architecture and concluded that DANE is the best of them in terms of implementation considerations. We have set up a platform to implement the DANE components on the server side. Since current browsers do not support natively DANE, we had to make minor changes to Chrome and Firefox to test DANE client side. Once the installation was done, we tested the DANE mechanism from start to finish in Firefox and Chrome.
Publications
-
ISOC published an article on its website "Deploy 360" on our DANE document
-
Published an article on the DANE MISC newspaper "Are we ready to go under DNSSEC for a more secure browsing?"
Is this domain
available ?
News
- March 16, 2021 Afnic joins the Renaissance Numérique Think Tank
- March 12, 2021 Afnic and the Swedish Internet Foundation extend their collaborative Zonemaster ...
- March 11, 2021 .FR in 2020: acceleration of the digital transformation among businesses and ret...
- March 1, 2021 Report Internet of Things & Digital Sovereignty
- February 12, 2021 Afnic sponsors the TV program Connecte Ta Boîte