On Mon, Mar 30, 2015 at 1:00 PM, Scott Rea <scott....@digicert.com> wrote: > > > On the contrary, letsencrypt could use DANE TLSA records as DV proofs > > which would drive deployment of DANE. > I actually think Max is making the opposite argument - that the proposal > is "anti CA" (or maybe anti X.509) and "pro DANE" and asking for > justification of why we want to move away from the current > implementation base to an unproven trust model that extremely few have > demonstrated a willingness to adopt at this point
Hmm, I'm not sure how you and Max got this out of the discussion in the meeting, but perhaps I can clarify. ACME has two potential interactions with DANE. 1. DANE can be used a "proof type" to allow ACME CAs to determine that a given entity controls a given domain. 2. If an ACME CA (or any CA) issues free certificates based on DANE, then this is a potential way to allow DANE-based trust to get wider deployment. This isn't really a property of ACME but rather of free, automatic issuance, regardless of the protocol. But in neither case is ACME really about moving to the DANE trust model. Best, -Ekr
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
