On May 30, 2013, at 9:37 AM, Jakob Schlyter <[email protected]> wrote: > On 30 maj 2013, at 04:24, Rick Andrews <[email protected]> wrote: > >> Is there another list that's right for discussing the merits and demerits of >> the different DANE options? I work for a CA, so of course I believe that the >> current PKI is *not* irreparably broken, nor do I agree that modes 2 and 3 >> are "substantially more robust". Because I believe your voice is respected >> in this forum, I wanted to speak up to make it clear that this opinion is >> not shared by all. > > Unless the chairs do not object, I believe this mailing list is a good place > to discuss this matters. > > IMHO, classic PKI augmented by DANE would be a very strong package. However, > I would argue that without the extra identity proofing and other controls set > by by Extended Validation (EV), DANE has equally security properties to a > plain Domain Validation (DV) certificate. > > For a foreseeable future, we definitely need to combine DANE with classic PKI > in order for the general Internet user to be able to validate certificates. > For limited deployments, or applications where classic PKI has not yet gained > significant traction (such as TLS for SMTP), a pure DANE solution makes sense > (unless EV is required).
+1 !!! --Olaf
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
