On Tue, 9 Oct 2012, Matt McCutchen wrote:
This is awfully late to raise an objection. I believe the argument for the current design was that a server operator may care: he may want a revocation via the CA to be effective on DANE clients without having to also pull the certificate from the DNS
Why would you _ever_ want to keep a revoked key in the DNS? If the key is revoked, it should not be in use, and therefor should not be in the DNS. While you will still need to revoke the key at the CA, because someone else might have a stolen copy of your private key and not be DANE aware, that's the slow offline process that in no way has to slow down your key update mechanism inside your own DNS tree. Paul _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
