Dan York wrote: > Since I had put in a request for agenda time at IETF 91 to potentially talk > about if there were any lessons from DANE deployment that could be fed back > into the standards process, I did throw together a quick draft... > > Feedback is very definitely welcome... I'm not intending anything with this > document other than using it as a catalyst for discussions.
IMO lack of really secure DNSSEC support is *the* major blocker. So I disagree with your comment at the end of section 2. And I have some personal security concerns about the DNSSEC auto-signing many sites seem to implement and the security of registry (web) interfaces. I'm pretty sure attackers will go that route just like they attacked registry (web) interfaces of X.509-based PKI implementations. Also I don't like inventing a bunch of DNS RR types for different purposes. Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
