>>>>> "DA" == Derek Atkins <[email protected]> writes:
DA> Note that this public key could still (theoretically) be signed. Unless DA> DANE is specifying it differently there should be no limitation that it DA> be *just* the public key. That is an important point; unsigned OPENPGPKEY provides similar benefits as using the key servers. Part of the motivation for OPENPGPKEY was to provide an additional trust path to the dnssec root for those who lack a existing or sufficient path through the WoT. (I think everyone agrees that a nice path through the WoT to a key with ultimate trust is better, but if you WoT path is weak or non-extant than dns can at least provide /some/ trust.) Another aspect of the motivation is to have similar discovery paths for openpgp and smime -- where a dns trust path is arguably more useful. -JimC -- James Cloos <[email protected]> OpenPGP: 0x997A9F17ED7DAEA6 _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
