I've seen many corporate failures to ensure fthe availability of unexpired certificates. I's a big problem. Without an online certification protocol, it is organizationally difficult to keep certificates valid!
DANE, of course, doesn't have validity periods, just TTLs, so it shouldn't suffer from this. But DANE with pinning still would. And rebuilding a host without preserving its private keys would still cause failures. But at least organizationally, DANE is much, much easier to handle than PKIX. (Kerberos has validity periods, but does much better because it has online infrastructure, at the increased risk of downtime if that infrastructure becomes unavailable.) Nico --
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
