Andrew, I'm not arguing about TLSA at all. I'm saying that even before the site owner asks their DNS provider to set up a TLSA record, if they create their own self-signed cert, no one verifies anything about this key or the cert contents. I have to trust that they did everything right (didn't use an unpatched Debian system, didn't reuse the same key they've been using for 10 years, didn't put misleading info into the DN, etc.)
-Rick > -----Original Message----- > From: [email protected] [mailto:therightkey- > [email protected]] On Behalf Of Andrew Sullivan > Sent: Tuesday, October 23, 2012 10:52 AM > To: [email protected] > Subject: Re: [therightkey] TLSA Cert. Usage > > On Tue, Oct 23, 2012 at 10:35:00AM -0700, Rick Andrews wrote: > > > > Yes, but with DANE w/o PKIX I have to trust that the domain owners > with self-signed certs did everything right when generating their keys > and certs, because no one is checking them. > > > > This is a bizarre claim. You seem to be arguing that the TLSA > operation is somehow intriniscally harder than configuring the DNS > correctly or doing DNSSEC. What makes TLSA peculiarly hard? > > Best, > > A > > -- > Andrew Sullivan > [email protected] > _______________________________________________ > therightkey mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/therightkey _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
