Hi Jakob,
I support your point of view, however domain validation also has some advantages with public certificates over DANE. The requirement for renewing (create new private key), the instant revoke with CRL and OCSP (against caching DNS) but finally also to aware against hackers and spammers. So if you look at DANE, everyone can run a valid site with https and e.g. spread malware through that as often https traffic is not scanned and usually be trusted, like recent mentioned phishing attacks. In addition with SMTP over TLS running mail servers, the assumption would be, that it is a valid mail server. If everyone can go with SMTP over TLS, giving more trust to valid SMTP connections will be undergone. Regards, Christian Am 30.05.13 09:37 schrieb "Jakob Schlyter" unter <[email protected]>: >On 30 maj 2013, at 04:24, Rick Andrews <[email protected]> wrote: > >> Is there another list that's right for discussing the merits and >>demerits of the different DANE options? I work for a CA, so of course I >>believe that the current PKI is *not* irreparably broken, nor do I agree >>that modes 2 and 3 are "substantially more robust". Because I believe >>your voice is respected in this forum, I wanted to speak up to make it >>clear that this opinion is not shared by all. > >Unless the chairs do not object, I believe this mailing list is a good >place to discuss this matters. > >IMHO, classic PKI augmented by DANE would be a very strong package. >However, I would argue that without the extra identity proofing and other >controls set by by Extended Validation (EV), DANE has equally security >properties to a plain Domain Validation (DV) certificate. > >For a foreseeable future, we definitely need to combine DANE with classic >PKI in order for the general Internet user to be able to validate >certificates. For limited deployments, or applications where classic PKI >has not yet gained significant traction (such as TLS for SMTP), a pure >DANE solution makes sense (unless EV is required). > > jakob > >_______________________________________________ >dane mailing list >[email protected] >https://www.ietf.org/mailman/listinfo/dane > >-- >This message was scanned by ESVA and is believed to be clean. >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
