On Wed, 5 Feb 2014, Viktor Dukhovni wrote:
I strongly support Paul's comment. Unlike stale on-disk certificates
held by third-parties, published DANE records (SMIMEA, TLSA, ...)
are maintained by the subject's domain and can be presumed *current*
when the publishing domain is not negligent.
Therefore, there is no need for a fragile blacklist mechanism.
The DANE data in DNSSEC is a comprehensive whitelist. Every
certificate not listed in DANE is the wrong certificate, unlike
CRLs DANE fails closed.
+1
Any application caching DNS data beyond the TTL should either forget the
data, or prompt the user. Adding more bells and whistles in DNS to
emulate X.509 offline properties are not appropriate for DNS.
Paul
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
