On Mon, 22 Oct 2012, Phillip Hallam-Baker wrote:
One consequence of that positioning was that they could not accept any advice from any of the people who work with CAs as they imagined all such advice was designed to sabotage their efforts. Which meant that they began by cutting themselves off from all advice from people with practical experience of what they were attempting to do.
We listened Phillip. In fact, we bend over backwards for the PKIX people, and you got various Usage types specifically to support the CA model. The fact that this model has diminishing returns is something you can behind bring up at CABforum's reconfirmed closed doors.
The big problem with DANE is that it relies on people putting correct information into the DNS and keeping it correct
Luckilly, people already need to do that and have years of experience of putting the right data in DNS.
even when it is going to have (initially) marginal impact on functionality. Information in DANE could be useful for some parties to use to curate certificate data in combination with other data but it isn't viable for client enforcement in an end to end model.
Now who's levelling downtown Niagra?
Any plan that relies on the typical Webmaster doing anything different is unlikely to succeed.
The webmaster just needs to stick to the same "CA", whether a private one, or one from CABforum. I fail to see the rocket science here, though there is clearly the appearance of a smoke screen here. Paul _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
