> > I'm one of the CAs that have been arguing in other venues that using > TLSA w/o PKIX validation is inferior to using CAs (w/ PKIX validation). > Having an established mechanism for revocation is just one of the > reasons I believe this. > > How is replacing the TLSA record not equal to revocation, except within > the middle man delays?
It's similar, except that all CAs document their revocation process and reasons in their CPS documents. It's very transparent and understood. Have DNS providers documented their process and reasons for removing a TLSA record? Who monitors them to make sure they're doing it properly, or at least doing it according to a documented process? > If only CABF was open, I could actually try and reason with you to see > if you are right. Unfortunately, CABF recently comitted to remain > closed. This is a mischaracterization. The CABF did not recently commit to remain closed. It became more open, just not open enough for some people. Even if we disagree on that, why can't we discuss this issue in this forum? -Rick _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
