On 22 October 2012 17:00, Paul Wouters <[email protected]> wrote: > On Mon, 22 Oct 2012, Ben Laurie wrote: > >> CAs have been arguing in other venues that using TLSA to validate in >> the browser is inferior to using CAs because CAs are prepared to >> revoke certificates that are used for bad things, whereas DNS >> registrars/ICANN are not. > > > Of course, the registrant/DNS hoster itself _can_ and _should_ remove > the TLSA record from DNS. Either when it used TLSA for pinning and the > CA got compromised, or when the DNS provider itself got compromised. > > >> This is, of course, why Certificate Transparency exists, so everyone >> can see what's going on. Neither TLSA nor CAs are adequate, IMO. > > > I haven't yet read the draft.
Well, you should. > The tricky thing of not trusting the > publisher of the certificate data (eg the DNS hoster or web admin) > is one of timing, false positives and delegated (implicit) trust to > more third parties. I'm not sure if this is a comment on the draft you haven't read, or something else? > > Paul _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
