Marc Lampo <[email protected]> writes: > There are a number of cases were this does not contribute to security > (malicious user who obtained a certificate and publishes > corresponding TSLA RR);
It's worth noting that in order to do the above, you only had to trick a CA into issuing a cert *and* you must have control over the DNS for the domain, whereas before you had to only trick a CA into issuing a cert. So the bar has been raised for sites that have published a TLSA record. So it certainly does contribute to security as it increases the infrastructure that an attacker must target to succeed in a take-over. -- Wes Hardaker My Pictures: http://capturedonearth.com/ My Thoughts: http://pontifications.hardakers.net/ _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
