Meet the next generation of email security. His name is DANE (DNS-Authentication of Named Entities).
The US government and dot-com giant VeriSign have teamed up to build a brand new secure email system using the internet’s very own domain name system.
DANE will sit beside existing TLS (Transport Layer Security) protocol to create a two-pronged approach, allowing for two types of email: unsigned and signed. Unsigned would continue to use TNS to send email between servers, using DANE to protect TLS keys. Signed would use essentially the same system but incorporate S/MIME public key encryption.
What this all means for you and me is a user-operated security system that means you don’t have to rely on your ISP’s security. In particular for businesses, as well as heightened security, the new protocol would make email spoofing much harder and reduce malware sent via email.
So that’s the good, what about the bad? As any CSO will tell you, there is no silver bullet when it comes to data security and DANE is no exception. Firstly, because the system relies on top-level domain names, governments could still exert control over a particular registry. Since most of these domain names fall under the purview of the United States government, through contracts with ICAAN, don’t think the NSA won’t still be able to read your emails if it really wants to.
The system would also still rely on Certificate Authorities to provide certificates for encryption. That means that problems with fake or invalid certificates being used to gain access to server-based email systems (office email for example) aren’t going away any time soon.
The researchers for the project are currently working on a proof of concept so actual implementation looks to be a way off yet. The team are looking for collaborators and have set up a public forum to take comments.