Warren Kumari <[email protected]> wrote: > > If I run example.com and someone managed to generate / publish a TLSA > record for that I'd sure like to know about it.
Right. But in PKIX a mis-issued certificate has nothing to do with your own infrastructure, whereas with DANE it implies that your infrastructure (or the infrastructure of your DNS service providers) has been compromised. I'm a bit worried about the operational implications: PKIX CT is extra work for CAs, but DANE CT is extra work for everyone. So I'm skeptical that the cost/benefit tradeoff is positive. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
