On 30 maj 2013, at 10:09, Christian Heutger <[email protected]> wrote: > I support your point of view, however domain validation also has some > advantages with public certificates over DANE. The requirement for > renewing (create new private key), the instant revoke with CRL and OCSP > (against caching DNS) but finally also to aware against hackers and > spammers. So if you look at DANE, everyone can run a valid site with https > and e.g. spread malware through that as often https traffic is not scanned > and usually be trusted, like recent mentioned phishing attacks. In > addition with SMTP over TLS running mail servers, the assumption would be, > that it is a valid mail server. If everyone can go with SMTP over TLS, > giving more trust to valid SMTP connections will be undergone.
The additional services you mention are optional and not part of WebTrust
and/or ETSI certifications. There is no guarantee that such services are
performed on services served under a classic PKI certificate.
Regarding revocation we've seen too many examples where CRLs are not checked
properly by the clients and/or OCSP responders are not responding (or
responding so slow that users disable them). This might not be how the PKI
infrastructure was designed, but it is the reality.
Anyone can do SMTP with TLS today and most (sane) mail servers do that. Without
classic PKI. And the SMTP servers they talk to do no validation whatsoever.
DANE can only make things better here.
jakob
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
