On Tue, Oct 23, 2012 at 10:35:00AM -0700, Rick Andrews wrote: > > Yes, but with DANE w/o PKIX I have to trust that the domain owners with > self-signed certs did everything right when generating their keys and certs, > because no one is checking them. >
This is a bizarre claim. You seem to be arguing that the TLSA operation is somehow intriniscally harder than configuring the DNS correctly or doing DNSSEC. What makes TLSA peculiarly hard? Best, A -- Andrew Sullivan [email protected] _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
