Paul,
The assertion by the parent relates to the DNS name, nothing more. But, that
name is under the control of the appropriate entity, in the DNS context.
More
importantly, that entity is limited in the range of DNS names for which it
can create a signed assertion, unlike in the browser PKI context. So, I
think
that makes the DANE approach to binding a public key to a web site DNS name
much more secure than the current browser PKI approach.
Steve
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
