On Mon, 22 Oct 2012, Rick Andrews wrote:
How is replacing the TLSA record not equal to revocation, except within
the middle man delays?
It's similar, except that all CAs document their revocation process and reasons
in their CPS documents. It's very transparent and understood. Have DNS
providers documented their process and reasons for removing a TLSA record? Who
monitors them to make sure they're doing it properly, or at least doing it
according to a documented process?
The registrant either is the DNS operator, or has sourced it out to
a DNS operator that already has full control to take over the
sites, document changelogs, etc. For the registrant, this adds no new
requirement. The reason the CA's need such documentation, is because it
is an addition to the process the registrant needs to be able to audit.
If only CABF was open, I could actually try and reason with you to see
if you are right. Unfortunately, CABF recently comitted to remain
closed.
This is a mischaracterization. The CABF did not recently commit to remain
closed. It became more open, just not open enough for some people. Even if we
disagree on that, why can't we discuss this issue in this forum?
We can discuss it, but statements on how well CAs do certain things is
something I cannot validate. That's all I was saying.
Paul
_______________________________________________
therightkey mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/therightkey
