@22decembre @david

I truly believe this is part of Google leaning on Mozilla.

@mwlucas @22decembre Never thought about it.

But the question is 'why?' they don't love the CA cartel, they've undercut the CAs at every opportunity. Their solutions of certificate pinning, certificate transparency, have been shown to be snakeoil and crap at every turn... What do they get by opposing DANE/DNSSEC... ESPECIALLY as they support a DNS powered ESNI?

@david @22decembre the only secure path is to give the Google all your business. Then they will help you.

@mwlucas @22decembre this reminds me of cloudflare's business model. Everything they do/support (ESNI, DoH, DNS) works better/faster if you are their customer, and slower than before if you are not.

@22decembre @mwlucas Yeah, and their arguments are totally BS, and their duplicity is laid bare by their own support of ESNI which.. puts public keys in DNS for SSL requests!

Google's take is likewise poor.

I think a grassroots campaign needs to be waged. Start embedding it in projects and libraries. For example imagine if mastodon for its federation protocol supported DANE.

@david @mwlucas that would be cool.

Alas, i am no dev', so don't have true power there in...

@david @22decembre @mwlucas Wait, Mastodon federates but without DANE? How does that work without introducing "too big to fail" problems? I have DANE for my XMPP service, it's about the only sane choice (of the realistically available today options) for server<->server federated communication.

@philpennock @22decembre @mwlucas I just uses the standard CA infrastructure that everyone else uses. Is that 'too big to fail'? I think you HAVE to support the CA infrastructure; but that doesn't mean you need to ONLY support the CA infrastructure, and you get enough things ALSO supporting DANE, and you can slowly ween people off of the CAs... kinda like how we're trying to get IPv6, or ESNI, or even SNI in the first place