Hi Hannes,
On 7/7/14, 8:23 AM, Hannes Tschofenig wrote: > Just a minor note on this paragraph: > > On 07/07/2014 06:48 AM, Eliot Lear wrote: >> because HTTPS currently depends on X.509 keys, other I didn't write the above, Paul did. But to your point below... >>> groups in the IETF world are already working to make HTTPS proof against >>> on-path surveillance. (google for "perfect forward secrecy" to learn >>> more), and others are working to defend the internet user population >>> against wildcard or targeted SSL certificates issued by governments and >>> other anti-secrecy agents with on-path capabilities. > TLS has this ciphersuite concept and allows you to more than just X.509 > certificates. As such, you have more freedom than you think (if you know > what you want). Yes. This is something you might know something about ;-) > > It would be funny if the precondition using using DANE would be to > require a PKI as currently used on the Web... > Unless what you're using ISN'T a PKI. Any DNS mechanism must be free and clear of dependency loops. While that may be theoretically possible with a PKI, I'd hazard a guess (perhaps worth a drink at a bar) that the number of dependencies explodes, making such a loop more likely in an operational environment. Eliot _______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
