On Thu, 31 Jan 2013, Marc Lampo wrote:
how can the *parent* domain provide the identity ?
He who controls the spice, controls the universe! Oh wait, I mean to say the parent can already take control of all of its children, so yes in the DNS world, the "ID card" analogy does not quite work. (In the X509 world, the ID card analogy compares perhaps to US drivers licenses, each state looks different so no one can really verify the authenticity anymore) So, parent DNS controls child DNS. Child DNS controls where it points the webserver at. So no new "vulnerabilities" are introduced by putting trust in selfsigned certs anchored to DNS.
The TLSA record is content of the domain (not the parent) is it ? I know that, for DNSSEC, the parent signs the domains public key information (DS), but that is purely DNSSEC. It does not contribute to the identity of the domain holder. Or what am I missing ?
DNS does not provide "identity" information. But "Domain Validated" (DV) certificates don't either. Anyone controlling example.com acn get a DV cert issued by the CABforum members without any identity check. If you are talking about EVcerts, apparently CABforum people do more checks before handing this out, allegedly doing identity validation, so I would need to provide some Example Inc. paperwork before they should give me an EV cert. This part cannot be replaced with TLSA records, although TLSA records can contradict (rogue) EV certs. Paul _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
