On Mon, Feb 15, 2016 at 3:15 PM, Viktor Dukhovni <[email protected]> wrote: > >> On Feb 15, 2016, at 8:40 AM, Phillip Hallam-Baker <[email protected]> >> wrote: >> >> TLSA deployment is negligible, less than 1000 domains and >> 7-13% of those are wrong. > > Not surprising. For HTTPS, if nobody is checking, why should they be right! > > With SMTP, out of 11k tested domains ~30 (0.3%) are wrong. TLSA records are > only > kept right if there's an operational impact when they're wrong. > > The error rate for SMTP will drop as more sending systems enable outbound > checks.
That is a predictable consequence from combining the key publication mechanism and the security policy mechanism. People create keys in advance of actually using them. This is why I proposed separating the two systems. To validate a cert one would use <base32-cert-fingerprint>.example.com TLSB <blah> Perhaps if some people had been less willing to dismiss any contribution from people in the PKI industry as antithetical to the purposes of the WG, this situation might have been avoided. That is all water under the bridge now of course. I will write a draft proposing my way to do it. Perhaps people could do me the favor of thinking twice before complaining that it treads on DANE scope. _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
