On Friday 11 Feb 2011 05:08:10 Steve Schultze wrote: <snip> > - OCSP and CRLs are unnecessary with DANE
Steve, may we presume that you only intended this statement to apply to the use of self-signed certs with DANE? When an EV (or OV) certificate issued by a third-party CA is used with DANE, I would argue that OCSP and CRLs are still essential, because these certificates make claims (about organizational identity) that can't be assured by DNS(SEC)/DANE. When a DV certificate issued by a third-party CA is used with DANE, I would argue that OCSP and CRLs may be less than essential but they are still useful (e.g. the CA may subsequently detect that the key or hash algorithm used in the certificate is weak). Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto