On Wed, Nov 14, 2012 at 04:35:31PM +0000, Ben Laurie wrote: > On 14 November 2012 16:30, Paul Wouters <[email protected]> wrote: > > On Wed, 14 Nov 2012, Ben Laurie wrote: ... > >>> What problem would CT for DANE be aiming to fix? > >> > >> > >> By all means add that to the list of questions :-) > >> > >> But I assume the same problem CT already fixes: misissuance of certs > >> (which in the DNSSEC world I guess mostly boils down to bad > >> delegation). > > > > > > Does that make sense though? With RRSIG validity times and TTL's you > > can set your "damange period" as small as you want. There is no issue > > like with certificates where your credentials can be abused for up to > > 12 months. > > > > The only use I could see is as an alternative mechanism to transfer these > > records into the application that does not require a clean DNS transport. > > > > I think CT is a bandaid for PKIX that does not apply to DANE. > > > > I think the problem with DANE/DNSSEC right now is the additional latency > > and dns transport issues (hotspots, VPN, etc) but I don't think CT is > > very well suited to address those. > > a) Why would an attacker use your validity times?
What do you mean? What is your attack scenario? This thread quickly starts to move to a marshy soil. Fred _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
