Tony, how can the *parent* domain provide the identity ? The TLSA record is content of the domain (not the parent) is it ? I know that, for DNSSEC, the parent signs the domains public key information (DS), but that is purely DNSSEC. It does not contribute to the identity of the domain holder. Or what am I missing ?
Marc On Wed, Jan 30, 2013 at 12:49 PM, Tony Finch <[email protected]> wrote: > Marc Lampo <[email protected]> wrote: > >> But since domain registration can be quite anonymous >> doesn't this mean that anybody could, if support for TSLA is widespread, >> create https websites that do not cause warning messages to users. > > Yes, that is the desirable outcome. > >> To me it seems that anybody could, kind of, produce his own identity card ? > > No, the identity is provided by the parent domain. > >> It that is the case, it would only increase the need for HTTPS inspection >> - "man-in-the-middle" - > > Why? > >> in which case the certificate offered to the user will change >> and no longer be "in line" with the TLSA record. > > Indeed. DANE will detect the man-in-the-middle attack. > > Tony. > -- > f.anthony.n.finch <[email protected]> http://dotat.at/ > Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. > Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, > occasionally poor at first. _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
