On Mon, Nov 17, 2014 at 09:51:57PM +0000, Rob Stradling wrote: > I'm interested in making revocation checking for the WebPKI actually > work when it needs to work! And that means finding a way for > browsers to be able to hard-fail when revocation status is > unobtainable. > > [...]
What you say is true, but what we need here is a time machine. One that can travel backwards in time cheaply. That one is stuck in AUTH48, I hear, and we might not get it for a while yet. Deadly embrace problems simply take time to fix. DANE stands a pretty good chance of helping simplify a lot of things, which is one reason that I'm a fan. Right out of the gate DANE is way ahead of PKIX w.r.t. naming constraints, and that's a huge part of the battle -- nigh the most important, since the number of CAs that can impersonate a service becomes: the number of labels in the TLSA RRset domainname. DANE can be stapled, and it's rather straightforward to do so too. Yes, there are issues, like the DNSSEC RSA 1024 root key, and the lack of logging of delegations, but we know what they are and they are tractable. Nico -- _______________________________________________ therightkey mailing list therightkey@ietf.org https://www.ietf.org/mailman/listinfo/therightkey
