STARTTLS og DANE

The DANE standard is an extra security check of both web and email. DANE is an identity verification tool that double-checks whether everything is as it should be. Think of a fake driving licence that looks just like a real one – only the licence number will reveal that it is a fake. DANE serves as a registry to verify that the number on the driving licence is real and that it matches the owner of the licence.

Why?

• "Opportunistic Security: Some Protection Most of the Time" by V. Dukhovni
• "New e-mail security protocols mandatory within government" af Marco Davids (SIDNlabs)
• "The sad state of SMTP encryption" by Filippo Valsorda

Adoption statistics

• DANE trend graphs
• DANE statistics
• Google's statistics on STARTTLS

Further information

• How-to on 'DANE for SMTP' fra Dutch Internet Standards Platform
• Wiki over 'DANE for SMTP'
• Factsheet \"Secure the connections of mail servers\" from NCSC-NL
• "ICT securitity guidelines for TLS v2.0" from NCSC-NL
• BSI TR-03108 Sicherer E-Mail-Transport from German Federal Office for Information Security
• Special Publication 1800-6: “Domain Name Systems-Based Electronic Mail Security” from NIST

Specifications and guidelines

• RFC 3207: SMTP Service Extension for Secure SMTP over Transport Layer Security
• RFC 7672: SMTP Security via Opportunistic DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS)
• RFC 7671: The DNS-Based Authentication of Named Entities (DANE) Protocol: Updates and Operational Guidance"