On Tue, 10 Jul 2018, Ryan Sleevi wrote:
That's why involving DNS is at least relevant to that discussion, especially given that publicly trusted certificates are themselves predicated on DNS. Further, considering that the CA only has to validate a DNS once per 825-day period, and can issue unlimited 825-day certificates during that period, then the effective extension of relying solely on certificates 1650 days minus a second.
This of course, is only an argument in favour of DANE depricating WebPKI, especially in light of the EV failures reducing webpki to only DNS already :) Paul
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
