On Feb 1, 2013, at 7:40 AM, Marc Lampo <[email protected]> wrote:
> And once there is delegation, the registrant could then generate > self-signed ceriticates, > publish TLSA record with type 3 : "this self-signed certicate is OK, > don't alert the user". > Hence the original subject : "produce one's own identity card". Anyone, at any time, can produce an identity card for themselves. Kids in the US who want to drink alcohol before they are 21 have known this for decades. The trick is to get others to believe it. The current web PKI allows any of hundreds of CAs to act as the ultimate authority for the ID. DANE allows a domain owner to use the DNSSEC trust anchor as the ultimate authority for the ID. > When I first read the draft, I though this was about > "informing the user which CA was used for my official certificate". > So, if a trusted CA is hacked and gives out an otherwise valid > certifate for my domain, > but to an organisation which is not "me", > I can still inform my visitors which CA *I* chose for my real certicate. > But that seems to be the CAA RR, recently published ... It would only seem that if you didn't read the RFC. CAA is not for informing visitors about your CA, it is for informing diligent CAs about your CA. --Paul Hoffman _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
