On Tue, Jun 4, 2013 at 4:07 AM, Yoav Nir <[email protected]> wrote:
> > If we want to find out a hash of the public key for an HTTPS server > using heavy infrastructure, we might as well use DANE, no? > If TLSA records have typical DNS TTLs (a few hours or days), then they will probably be too short-lived to be effectively stored in lists and downloaded to browsers, etc. If they are longer-lived, then all the issues we're discussing here will still arise (a DNS hijacker or disgruntled sysadmin setting a long-lived DANE pin, etc.). Trevor
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
