On Wed, Nov 14, 2012 at 05:07:58PM +0000, Ben Laurie wrote: > On 14 November 2012 17:02, Tony Finch <[email protected]> wrote: > > Warren Kumari <[email protected]> wrote: > >> > >> If I run example.com and someone managed to generate / publish a TLSA > >> record for that I'd sure like to know about it. > > > > Right. But in PKIX a mis-issued certificate has nothing to do with your > > own infrastructure, whereas with DANE it implies that your infrastructure > > (or the infrastructure of your DNS service providers) has been > > compromised. > > Isn't the infrastructure of your DNS service providers nothing to do > with your own infrastructure? Not to mention your TLD's > infrastructure, and that of all of their registrars (and, presumably, > DNS service providers)?
One critical difference is that with DANE, I can query the DNSSEC delegation chain myself and detect whether my TLD has installed a bogus DS record and take action. I cannot today detect a bogus X.509 cert by myself. I think this makes a CT like scheme less necessary for DANE. -- Shumon Huque University of Pennsylvania. _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
