Hello. http://tools.ietf.org/html/rfc6394#section-3.1 :
> Continuing to require PKIX validation also limits the degree to which > DNS operators (as distinct from the holders of domains) can interfere > with TLS authentication through this mechanism. As above, even if a > DNS operator falsifies DANE records, it cannot masquerade as the > target server unless it can also obtain a certificate for the target > domain. This seems like a mistake to me - DNS operator can always issue a fraudulent usage 2/3 record, and thus skip the CA validation. The only advantage I can see in usage 0/1, is that it allows CA-based certificate revocation in case of the private key compromise. Alexaner Gurvitz, net-me.net
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
