On 30 maj 2013, at 16:55, Ben Laurie <[email protected]> wrote:
> a) It introduces latency, and
so does checking revocation lists and OCSP.
> b) It isn't reliable, so cannot be hard-fail.
I'm a bit disappointed that browsers vendors are not willing to implement new
protocols, like DANE, just because there exists clients out there that cannot
reliable use them. I'm not saying we should enable these features by default,
but to be able to test them and learn more we need them in something that is
not an experimental build.
I would even stretch my neck out and claim that the additional controls
provided by using DANE with certificate use 0/1 (i.e. backed by classic PKIX)
would make sense even without DNSSEC. I know this is a very dangerous path and
may dragons lure along it, but I still believe this is something we should
explore further.
jakob
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
