On 14 November 2012 12:29, Shumon Huque <[email protected]> wrote: > One critical difference is that with DANE, I can query the DNSSEC > delegation chain myself and detect whether my TLD has installed a > bogus DS record and take action. I cannot today detect a bogus > X.509 cert by myself. I think this makes a CT like scheme less necessary > for DANE.
I can query my server on port 443 and see if there is a bogus certificate. The lack of a bogus certificate in a response to a single query does not mean there is not a valid attacker-controlled signature chain an attacker could send to attack a user - whether that signature chain is of PKIX signatures or DNSSEC signatures. -tom
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
