My problem with DANE is that since it allows for Cert Validation, DNSSEC must be a MUST.
Of course if you are doing HPKP in DNS, doing DNNSEC is a no brainer for the site. But from a game theory point of view, there is a big difference between 'strongly encouraged' and 'MUST'. Making the requirement for DNSSEC a 'MUST' means that DNSSEC support in the browser is a MUST. And so any attempt to use TLSA is dependent on DNSSEC deployment having been achieved. HPKP in DNS can be rolled out today. Rolling out HPKP highlights the failure of the browser providers to fully lock the system down with DNSSEC. The objective here is to get the camel's nose inside the tent. _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
