On Mon, 4 Feb 2013, Marc Lampo wrote:
This shift (in who provides identity) from "only trusted CA" to "only via DNS info"
There _is_ no shift. Whoever controls the DNS can do either things: - Create MX to receive email for the domain, and get a valid CA signed cert. - Create their own self signed cert, and put in a TLSA record. "Only trusted CA" is a lie. If I control your DNS, I can get a "trusted CA" certificate too.
it is possible to obtain genuine certificates from not so good CA's, but a complete shift to DNS only is no improvement.
This has nothing to do with "not so good CAs". If I control you DNS, I can get any "good CA" to issue a cert for me. And again, this _is_ different for EV certs but they are rare, expensive and per definition won't scale. Paul _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
