Hi, >IMHO the public CA PKI is irreparably broken, and provides little >additional assurance. There is little reason to public 0/1 or even >2 when 3 is substantially more robust.
in my opinion, CA PKI model get hardened / recent issues fixed with DANE but DANE is not able to replace it by sense. See below. >>Since, domain-owner/holder has publicly declared what exact cert >> he/she/they trusts using TLSA "2 s m" or "3 s m" based dns rr, then >> why web-browser will ask question/prompt visitor/user ? ! > >They should not, and I expect will not, once they support DANE. Finally DANE can replace the so called domain validation certificates as how ever a domain control may be proofed when by a certificate stored in the DNS. However the pressure to renew certificates (and generating new private keys), limited validity of a certificate and additional third party check of revocation status (especially if the webmaster and hostmaster is not the same and there is a need of quick reaction) are open topics. But public certs beside the encryption and domain binding topic have another reason: a third party proof the website owners existence, legal name, address, depend on the certificate a minimum of 3 years doing business etc. So finally DANE can't prevent from Phishing (similar domains), can't prevent from unknown business partners, Š That still requires someone verifying identity and warrantying for the job done. DANE can ensure here, that this certificate is the real one and it's not been "rewritten" by anyone else. Regards, Christian
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
