Ben,
However. there are several real-world downsides. Most glaring:
1. In quite a lot of cases (experiments suggest around 4%), clients
cannot fetch DNSSEC records (nor TLSA records).
2. DNSSEC has its equivalent of CAs: registries and registrars. Their
track records on misissuance are not better than CAs.
I don't argue with your first point, but I expect this problem to diminish
over time
The second statement, though, is not a reasonable comparison. registrars
operate
with the equivalent of name constraints, from a cert issuance
perspective, which
makes it much better that the WebPKI TA model. Even if the TAs in that
model were
to issue certs including a name constraints extension, the effect would
not be as good as what we have in the DNSSEC/DANE environment.
Steve
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
