On 14 November 2012 17:02, Tony Finch <[email protected]> wrote: > Warren Kumari <[email protected]> wrote: >> >> If I run example.com and someone managed to generate / publish a TLSA >> record for that I'd sure like to know about it. > > Right. But in PKIX a mis-issued certificate has nothing to do with your > own infrastructure, whereas with DANE it implies that your infrastructure > (or the infrastructure of your DNS service providers) has been > compromised.
Isn't the infrastructure of your DNS service providers nothing to do with your own infrastructure? Not to mention your TLD's infrastructure, and that of all of their registrars (and, presumably, DNS service providers)? > I'm a bit worried about the operational implications: PKIX CT is extra > work for CAs, but DANE CT is extra work for everyone. Only everyone who uses keys, and they've already signed up for quite a lot of work. > So I'm skeptical that the cost/benefit tradeoff is positive. I am unconvinced by your argument. > > Tony. > -- > f.anthony.n.finch <[email protected]> http://dotat.at/ > Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. > Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, > occasionally poor at first. _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
