>> as eliot pointed out, to defeat dane as currently written, you would >> have to compromise dnssec at the same time as you compromised the CA at >> the same time as you ran the mitm. i.e. it _adds_ dnssec assurance to >> CA trust. > Yes, I saw that. It also drives up complexity too and makes you wonder > what the added value of those cert vendors is for the money you're > forking over. Especially when you consider the criticality of dns > naming for everything except web site host names using tls. And how > long would it be before browsers allowed > self-signed-but-ok'ed-using-dnssec-protected-cert-hashes?
agree