> On May 14, 2018, at 1:41 PM, Daniel Margolis <[email protected]> wrote:
>
> I don't understand either of these comments.
>
> The TXT record could only safely be used to select the host (i.e. the in-zone
> name) for the policy URL, not the fully qualified domain, so I don't think it
> introduces the weakness Viktor supposes.
Yes, I was well aware that the name would have to share a suffix with the
policy domain. And yet, there is still a problem if there are any names
in policy the domain that are controlled by customers, rather than the parent
organization. I don't think that an insecurely vended policy authority (even
within the policy domain) is a good idea.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
