On 6 November 2013 17:06, Stephen Kent <[email protected]> wrote: > Ben, > >> However. there are several real-world downsides. Most glaring: >> >> 1. In quite a lot of cases (experiments suggest around 4%), clients >> cannot fetch DNSSEC records (nor TLSA records). >> >> 2. DNSSEC has its equivalent of CAs: registries and registrars. Their >> track records on misissuance are not better than CAs. > > I don't argue with your first point, but I expect this problem to diminish > over time
So do I. > The second statement, though, is not a reasonable comparison. registrars > operate > with the equivalent of name constraints, from a cert issuance perspective, > which > makes it much better that the WebPKI TA model. Even if the TAs in that model > were > to issue certs including a name constraints extension, the effect would > not be as good as what we have in the DNSSEC/DANE environment. I accept that _registries_ are name constrained. Registrars less so. Not sure I get why this is better than name constrained certificate chains, tho? _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
