On 30 maj 2013, at 04:24, Rick Andrews <[email protected]> wrote:
> Is there another list that's right for discussing the merits and demerits of
> the different DANE options? I work for a CA, so of course I believe that the
> current PKI is *not* irreparably broken, nor do I agree that modes 2 and 3
> are "substantially more robust". Because I believe your voice is respected in
> this forum, I wanted to speak up to make it clear that this opinion is not
> shared by all.
Unless the chairs do not object, I believe this mailing list is a good place to
discuss this matters.
IMHO, classic PKI augmented by DANE would be a very strong package. However, I
would argue that without the extra identity proofing and other controls set by
by Extended Validation (EV), DANE has equally security properties to a plain
Domain Validation (DV) certificate.
For a foreseeable future, we definitely need to combine DANE with classic PKI
in order for the general Internet user to be able to validate certificates. For
limited deployments, or applications where classic PKI has not yet gained
significant traction (such as TLS for SMTP), a pure DANE solution makes sense
(unless EV is required).
jakob
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
