On Tue, May 22, 2018 at 11:17 AM, Tim Hollebeek <tim.holleb...@digicert.com> wrote:
> > > Given the TTLs and the key sizes in use on DNSSEC records, why do you > believe > > this? > > DigiCert is not sympathetic to disk space as a reason to not keep > sufficient > information > in order to detect misissuance due to CAA failures. > > In fact, inspired by this issue, we are taking a look internally at what we > log, and > considering the feasibility of logging even more information, including > full > DNSSEC > signed RRs. > Hi Tim, I'm not sure why you mentioned disk space - could you help me understand why you brought that up? It doesn't actually seem to respond to the question - which is the TTLs and key sizes of DNSSEC records affect both the verifiability of such information and its ability to be used for non-repudiation (which is ostensibly the goal of such record keeping) I think your response presently rather severely misunderstands DNSSEC or what the implications of what you propose mean, but I look forward to DigiCert actually sharing what it proposes to do, so that the community can discuss whether it reasonably achieves those goals with a proposed implementation. Otherwise, we are arguably no different from where we are today, in which CAs do what they believe is reasonable for one purpose, but perhaps fail to achieve that in light of potential risks. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
