On Wed, April 8, 2015 4:38 pm, Joseph Bonneau wrote: > My recent research on HSTS and HPKP deployment in practice has > convinced me that much more attention needs to be paid to making > developer's lives easier.
I certainly agree with this. >From a UA perspective, does this address any of the concerns that DANE/DNSSEC suffer from? No, not really. So is this an improvement over DANE/DNSSEC? Only in syntax, not in deployability. Respectfully, this is a solution in search of a problem space. That Phillip suggests it's deployable without DNSSEC is itself telling that it's not meant to be an apples:apples conversion for the client. If we assume it's for discoverability for reploads, then it's ill-defined who the discovering actors are and whether or not they're interested in it, but is a question worth having in the "Is this a problem" side before a "I have a solution" side is broached. When I look at this from the "What problem does it solve" and "In doing so, does it introduce new problems" perspective, I'm not sure I agree with the first question, and even if I did, the answers to the second question are rightfully concerning. _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
