On 30 maj 2013, at 14:13, Christian Heutger <[email protected]> wrote: > So with Usage 2 the own CA can be everything, from an online CA, > storing the private key in the public accessible webroot, enabling > everyone who recognized it to issue certs for the domain by himself.
There is not practical difference between usage 2 and 3 - it is just a choice
of levels of indirection.
The core of the DV problem is that as long as you control the DNS (and
therefore the mail server), you can get any certificate for anything within the
domain. DANE just makes this issue more apparent (and adds actual security by
requiring DNSSEC).
jakob
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
