> On May 11, 2016, at 4:25 PM, John Levine <[email protected]> wrote:
>
> I think it's fair to say that we're still a long way away from broad
> DNSSEC adoption. This doesn't mean we should ignore it, but it does
> mean that non-DNSSEC approaches like the one here are worth thinking
> about.
Quite fair, though DNSSEC adoption does not happen in a vacuum, there
have to incentives to do it. If the large providers got enough round
twoits and implemented DANE/DNSSEC for their domains, there would be
a stronger incentive for others to follow suit.
> PS: I specifically take no position about the relative credibility of
> some random DNSSEC signed ccTLD from a country I've never visited and
> some random CA in my browser's list with a CPS link that's 404.
Here I posit we gloss over the fact that while some random CA can issue
certificates for any domain, the registry for some ccTLD can only sign
delegations for that ccTLD, and unlike the CA they are actually
authoritative for such delegations. But we digress, the key thing to
avoid is comparing EV with DANE/DNSSEC, the right comparison is with DV,
and DANE+DNSSEC is stronger than DV, where proofs of control are rather
skimpy, and rogue CAs unrelated to the domain's registration can mint
"out of the blue" certificates.
Yes, the STS train will leave the station. There's no substantive
disagreement between us, just minor misunderstandings and differences
of emphasis.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
