On Fri, 7 Nov 2014, Stephane Bortzmeyer wrote:
The first one is that some people distrust the domain name industry and feel that it is not safe to exchange the CA for the domain name actors (some of them having bad reputations like G... D...). Now, we all know it is more complicated than that (usages PKIX-* do not required that you drop the CA system, but on the other hand, some people fear that, if DANE is in the browser, the registrar, registry or the DNS hoster may be able to divert your users to a false site, something they could not do before). I don't say that I follow this reasoning but I've heard it several times so it could be documented.
And for that, we bring you CT for DNSSEC. Go look at the presentation and be ready to give us feedback this monday at TRANS :) http://www.ietf.org/proceedings/91/slides/slides-91-trans-3.pdf Paul _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
