On Mon, 22 Oct 2012, Ben Laurie wrote:
CAs have been arguing in other venues that using TLSA to validate in the browser is inferior to using CAs because CAs are prepared to revoke certificates that are used for bad things, whereas DNS registrars/ICANN are not.
Of course, the registrant/DNS hoster itself _can_ and _should_ remove the TLSA record from DNS. Either when it used TLSA for pinning and the CA got compromised, or when the DNS provider itself got compromised.
This is, of course, why Certificate Transparency exists, so everyone can see what's going on. Neither TLSA nor CAs are adequate, IMO.
I haven't yet read the draft. The tricky thing of not trusting the publisher of the certificate data (eg the DNS hoster or web admin) is one of timing, false positives and delegated (implicit) trust to more third parties. Paul _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
