On Fri, May 9, 2014 at 9:06 PM, Nico Williams <[email protected]> wrote: > A counter-argument would be that DNSSEC is like PKI with name > constraints done properly, and with most domains being children of > TLDs, there's really only two entities that can MITM them: the root > and the TLD registrars.
... and the (outsourced) DNS operator and the DNS parent(s) / registry.. This is also the set of folk who can update / return other answers for MX queries, and so, if willing to dink with stuff, could obtain a domain validated cert. I suspect we may be getting somewhat off topic for Trans, and into discussions we have had a number of times on the DANE list... W > > Therefore the risk of dishonest "CAs" is lower for DNSSEC than it is for PKI. > > I've seen skepticism about CT along the lines of "who will pay?" and > "it's just another tax". I don't think that should be dismissed out > of hand. But I do think that in the long run we should do anything > that we can do and that is economical (very important, that) to make > it easier to at least catch misbehaving CAs/registrars/... the jury > is still out as to whether CT be economical, right? > > Nico > -- > > _______________________________________________ > Trans mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/trans _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
