Paul,
the MiTM problem is due to X.509 not TLS per se. DANE stops MiTM for TLS. my comfort level with DTLS, or STARTTLS-over-EDNS, or TLS or SSL, is the same: low with X.509 since most nation-state actors and many criminal actors can feed any endpoint a certificate they will believe no matter what the name is; high once we pitch X.509 into the ash bin of history and get DANE running everywhere.
Your (valid) concerns re MiTM attacks are not about X.509 per se, but with the Web PKI as
adopted by browser vendors and the associated CAs. Steve
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
