On 19.07.2016 16:06, Sam Whited wrote: > On Tue, Jul 19, 2016 at 4:53 AM, Simon Josefsson <[email protected]> wrote: >> I wonder if people really care about this usage any more -- it does not >> scale well (all domains have to be encoded in the same cert => big >> certs) and introduces an indirection which often leaves room for >> attackers > > I don't understand what problem you're solving by doing this.
Isn't one problem that a cert with CN "example.org" will be valid for all services found on example.org (simply speaking), whereas when using SRV-ID restricts the cert to a particular service? Of course, everything will become better once DANE is in wide use. :) - Florian
signature.asc
Description: OpenPGP digital signature
