Certification Authority (CAs) yog cov koom haum uas sib koom daim ntawv pov thawj cryptographic SSL daim ntawv pov thawj. Lawv muab lawv lub npe kos npe hauv hluav taws xob rau lawv, lees paub lawv qhov tseeb. Txawm li cas los xij, qee zaum muaj xwm txheej tshwm sim thaum daim ntawv pov thawj raug muab ua txhaum cai. Piv txwv li, xyoo tas los Google tau pib "txoj kev tsis ntseeg" rau Symantec daim ntawv pov thawj vim tias lawv tsis txaus siab (peb tau hais txog zaj dab neeg no kom ntxaws hauv peb qhov blog - sij hawm ΠΈ ob).
Txhawm rau zam qhov xwm txheej zoo li no, ntau xyoo dhau los IETF pib tsim DANE thev naus laus zis (tab sis nws tsis yog siv dav hauv browsers - peb yuav tham txog vim li cas qhov no tshwm sim tom qab).
DANE (DNS-based Authentication of Named Entities) yog cov txheej txheem tshwj xeeb uas tso cai rau koj siv DNSSEC (Npe System Security Extensions) los tswj qhov siv tau ntawm SSL daim ntawv pov thawj. DNSSEC yog qhov txuas ntxiv mus rau Domain Name System uas txo qhov chaw nyob spoofing tawm tsam. Siv ob lub thev naus laus zis no, tus neeg saib xyuas lub vev xaib lossis tus neeg siv khoom tuaj yeem tiv tauj ib tus tswv lag luam DNS thiab lees paub qhov siv tau ntawm daim ntawv pov thawj siv.
Qhov tseem ceeb, DANE ua raws li daim ntawv pov thawj tus kheej kos npe (tus lav ntawm nws qhov kev ntseeg tau yog DNSSEC) thiab ua tiav cov haujlwm ntawm CA.
Yuav ua li cas li no ua hauj lwm
DANE specification tau piav qhia hauv RFC 6698. Raws li cov ntaub ntawv, hauv DNS cov ntaub ntawv cov ntaub ntawv ib hom tshiab tau ntxiv - TLSA. Nws muaj cov ntaub ntawv hais txog daim ntawv pov thawj raug xa mus, qhov loj thiab hom ntaub ntawv raug xa mus, nrog rau cov ntaub ntawv nws tus kheej. Tus webmaster tsim ib tus ntiv tes xoo ntawm daim ntawv pov thawj, kos npe nrog DNSSEC, thiab muab tso rau hauv TLSA.
Tus neeg siv khoom txuas mus rau qhov chaw hauv Is Taws Nem thiab sib piv nws daim ntawv pov thawj nrog "daim ntawv" tau txais los ntawm tus neeg teb xov tooj DNS. Yog tias lawv phim, ces cov peev txheej raug suav hais tias ntseeg tau.
Nplooj ntawv DANE wiki muab cov piv txwv hauv qab no ntawm DNS thov rau example.org ntawm TCP chaw nres nkoj 443:
IN TLSA _443._tcp.example.org
Cov lus teb zoo li no:
_443._tcp.example.com. IN TLSA (
3 0 0 30820307308201efa003020102020... )