-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 7/7/2014 12:14 AM, Eliot Lear wrote:
> Unless what you're using ISN'T a PKI. Any DNS mechanism must be > free and clear of dependency loops. While that may be > theoretically possible with a PKI, I'd hazard a guess (perhaps > worth a drink at a bar) that the number of dependencies explodes, > making such a loop more likely in an operational environment. In fact, some sort of "PKI-free" framework might even be more preferable for some folks. The problem with a PKI is not necessarily a technical problem -- a trust anchor has to be established somewhere with a PKI scheme, and politically that presents a lot of problems in this day & age. That is *not* to say that DANE is not a desirable thing to deploy/accomplish. Just sayin'. $.02, - - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 Key fingerprint: 19EC 2945 FEE8 D6C8 58A1 CE53 2896 AC75 54DC 85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlO6usYACgkQKJasdVTchbLc5wD+JbF8M+J3XsIGIIaE/p/dJ5Ba iUR40V2U/OGlKKdT2VEBAIy+TrcgsVdxqKj1/DFdYWqPmGGVcuKK549kkOxWCeNp =+WAw -----END PGP SIGNATURE----- _______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
