Jump to content


Photo

Support for DANE (RFC-7672) and certificate validation

Encryption Security

  • Please log in to reply
1 reply to this topic

#1 Ulrich Sieveking

Ulrich Sieveking
  • Members
  • 10 posts

Posted 29 May 2018 - 09:12 AM

Hello all,

 

besides a lot of other security related featuere, I'd like to see implemented in the ESG, one feature stands out: Certificate validation in gerneral and support for DANE in particular.

 

As we all know the current system of public CAs is nearly completely broken with thousands of illegitimate certificates issued by public CAs because of incompentency, governmental pressure and a host of other reasons. Thus it is an absolute neccessity for users to be able to decide, whose certificates to trust, and for any security device to provide the user with any reasonable and standardized method for certificate validation and the ability to configure and enforce validation and encyrption as needed.

 

Offering only opportunistic encyrption or easily MITMable encryption without certificate validation is no longer an option.

 

Therefore, I'd like to propose the following enhancements for the ESG:

 

1. Support DANE

 

2. Make certificate valitdaton configurable on a per-domain level for sender and recipient with these options

2.1 Verify and block/quarantine/tag on failure / don't verify

2.2 Verify chain of trust to public CA

2.3 Verify certificate according to DANE DNS records

2.4 Verify certificate by other sensible, standardized means (Certificate Transparency and others come to mind)

 

3. Perhaps combine certificate validation and other methods of sender authentication like SPF, DKIM, DMARC per domain to a unified settings object in order to streamline configuration and ease administration.

 

Best regards,

U. Sieveking

 

 

 

 



#2 Ulrich Sieveking

Ulrich Sieveking
  • Members
  • 10 posts

Posted 29 May 2018 - 09:14 AM

Forgot one thing, even if it should be obvious:

 

2.2.1 Allow editing the trusted Root-CA list