On 22 October 2012 09:44, Alexander Gurvitz <[email protected]> wrote: > Hello. > > I don't quite understand what is the purpose of Cert. Usage 0 and 1 TLSA > records ("CA constraint" and "Service Certificate Constraint"). If we trust > DNSSEC and TLSA, we need no CA at all, and if we don't trust DNSSEC/TLSA, > what's the purpose of having any information in the TLSA ? The only place > such CA/cert. constraint makes sense to me is the certificate itself, HSTS, > or some checkbox in a browser setup.
Two of these three don't make any sense to me! A CA/cert constraint in the certificate seems pointless - for a start, the cert is already signed by some particular CA, and secondly, why would an evil certificate constrain itself into non-operation? Likewise, checkbox in browser setup - what would this checkbox do? Pick a CA for every site on the 'net? How? CAs have been arguing in other venues that using TLSA to validate in the browser is inferior to using CAs because CAs are prepared to revoke certificates that are used for bad things, whereas DNS registrars/ICANN are not. OTOH, CAs don't necessarily even no they've issued a cert to revoke, if we look at history. And, of course, not all CAs have the same view of what is bad. This is, of course, why Certificate Transparency exists, so everyone can see what's going on. Neither TLSA nor CAs are adequate, IMO. _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
