I don't disagree with the idea that CAs+DANE provides a greater barrier for HTTPS domain impersonation than just DANE. But...
On 30 May 2013 04:09, Christian Heutger <[email protected]> wrote: > the instant revoke with CRL and OCSP > (against caching DNS) I don't agree with this. Revocation through TTL expiry on a domain can provide the same revocation delay as CRLs and OCSP. CRLs have a "window of replay" up to a week, OCSP from 6 hours to a day (usually). TTLs are in the same ballpark, and are configurable. > like recent mentioned phishing attacks. As part of my job I run phishing attacks on companies, fairly regularly. While most CAs do a decent job of protecting against the highest-profile domains, obtaining a DV cert for the other 99.9% of companies is never a problem. A long lived or extremely popular phishing attack may get detected in time to protect some users, but a single-day or two-operation does not. This is an advantage of CAs, but not a large one due to the lack of protections supplied for 99.9% of companies, the fact that all CAs are trusted equally so I can go to the weakest one, and that there is a natural desire for CAs to issue certificates fast and only flag certificates for manual review if absolutely necessary. > In > addition with SMTP over TLS running mail servers, the assumption would be, > that it is a valid mail server. If everyone can go with SMTP over TLS, > giving more trust to valid SMTP connections will be undergone. > PKIX Validation + SMTP is all sorts of wonky. I'm just throwing it out there ;) On 30 May 2013 03:37, Jakob Schlyter <[email protected]> wrote: > Unless the chairs do not object, I believe this mailing list is a good > place to discuss this matters. I'll occasionally join in if the consensus is to allow this type of discussion, but unless it's directly related to a standard we're working on or implementing, I don't really think this type of conversation is productive at this point. These arguments and debates have been hashed and rehashed over and over. There is a difference of opinion, and people feel strongly on both sides. Civil discussion is fine, but a lot of people are tired of the topic, so the level of civility and interest is decreasing - making the conversations less enlightening as time goes on. -tom
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
