public-l AT list.denic.de
Subject: Public DENIC mailinglist
List archive
[DENICpublic-l] PRESS RELEASE - DENIC eG implements secure and confidential e-mail communication based on DANE and DNSSEC
Chronological Thread
- From: DENIC Presse <presse AT denic.de>
- To: Public-L <public-l AT denic.de>
- Subject: [DENICpublic-l] PRESS RELEASE - DENIC eG implements secure and confidential e-mail communication based on DANE and DNSSEC
- Date: Thu, 23 Oct 2014 18:13:22 +0200
- Resent-from:
*PRESS RELEASE*
DENIC eG implements secure and confidential e-mail communication based on
DANE and DNSSEC
--------------------------------------------------------------------------------------------------------------------------------------------
Dear Sir or Madam,
DENIC eG is among the early adopters who have implemented the technology
labelled DANE with the objective to secure e-mail communication. Having
been developed by the Internet Engineering Task Force (IETF) as an open
standard, DANE is a powerful tool to encrypt data traffic between mail
servers and to verify the identity of the involved servers, in a reliable
manner.
DANE interlinks conventional certificates (a sort of electronic “identity
cards”) with the Internet’s “directory service”, the Domain Name System
(DNS). The e-mail transport encryption enabled by DANE and based on the
security extensions DNSSEC effectively eliminates the risk of e-mails or
messages being redirected or intercepted, as a result of man-in-the-middle
interference. DANE for e-mail is an essential step towards securing
Internet communications end-to-end for everyone.
The .DE top level domain has been signed with DNSSEC since 2011 already,
when DENIC established one of the fundamental bases paving the way for the
practical use of DANE, in Germany. For more details on how DNSSEC can be
implemented technically, domain holders are referred to their Internet
service providers.
-------------------------------
About DANE
DANE (DNS-Based Authentication of Named Entities) is described in RFC
6698, a specification issued by the Internet Engineering Task Force
(IETF). Using DANE enables so-called X.509 certificates to be stored in
the Domain Name System (DNS). The purpose of X.509 certificates is to
confirm the identity of a webserver (or other systems). Linking
certificates to the DNS creates a number of new options:
1. By publishing a root certificate, the server operator can state
which Certificate Authority (CA) he relies on, thus which organization is
authorized to issue digital certificates for his servers. In case another
CA issues such certificate either maliciously or as a result of a
manipulation of its systems, but without the operator’s express consent,
the Internet user will be alerted accordingly.
2. Where self-signed certificates are used, with no CA services
involved, a second channel is established by the certificate being
publication via the DNS. This enables the application to validate and
accept such certificate.
3. Additionally, DANE allows using different certificates (and
thereby different cryptographic parameters) for services which can be
accessed via the same host name (such as mail, web or instant messaging).
Currently DANE is used, particularly in Germany, to control encrypted
communication between mail servers. Further applications are presently
undergoing standardization procedures within the IETF. Among the
applications currently being extended using DANE are end-to-end encryption
and digital signing based on the S/MIME process.
About DNSSEC
The Domain Name System (DNS) as it was originally designed does not
provide for any authentication of the distributed information.
Communication between name servers and Internet applications (such as web
browsers or VoIP phones) is not completely safe against third-party
tampering. Over the past years, various attack scenarios have been
described, which keep being refined by attackers. By adding digital
signatures to the DNS, DNSSEC (short for DNS Security) helps protecting
DNS data. These signatures make sure that responses to application
requests are identical to the data published by the responsible DNS
administrator, in their name servers. The root of the DNS hierarchy has
been DNSSEC secured since 2010, with the .DE domain managed by DENIC
following up in 2011.
Kind regards
Stefanie Welters
Public Relations Officer
--
DENIC eG
Kaiserstraße 75-77
60329 Frankfurt am Main
GERMANY
E-Mail: presse AT denic.de
Fon: +49 69 27235-274
Fax: +49 69 27235-235
http://www.denic.de
Angaben nach § 25a Absatz 1 GenG:
DENIC eG (Sitz: Frankfurt am Main)
Vorstand: Helga Krüger, Andreas Musielak, Carsten Schiefner, Dr. Jörg
Schweiger
Vorsitzender des Aufsichtsrats: Thomas Keller
Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht
Frankfurt am Main
____________________________________
Mailinglist-Managenment:
http://mailinglists.denic.de/mailman/listinfo/public-l
- [DENICpublic-l] PRESS RELEASE - DENIC eG implements secure and confidential e-mail communication based on DANE and DNSSEC, DENIC Presse, 10/23/2014
Archive powered by MHonArc 2.6.19.