DNSSEC is a PKI [of sorts; please, no need to pick nits about that]. It stands to reason that DNSSEC should have similar trust problems as PKIX. I believe it does indeed.
It follows that things like CT that we're applying to PKIX should be applied to DNSSEC as well, where possible. I don't see any reason why CT couldn't be extended to DNSSEC. IMO, it should be done. Note that DNSSEC needs CT independently of protocols like DANE, but any protocol that allows a DNSSEC MITM to bypass PKIX CT (as DANE effectively does) should increase the need for CT for DNSSEC. Note too that I'm not in any way saying that DANE and similar should block on CT for DNSSEC. Sincerely, Nico -- _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
