On 09/30/2016 06:52 AM, John @ KLaM wrote:
Yes, I understand DANE can be used for MTAs. My musing is could it completely replace the existing CA mess, and I suppose the follow up is how?
I do not see it as a replacement for the CA mess but rather as a form of 2-factor authentication.
There is still validity to the PKI/CA infrastructure, such as EV certificates for financial institutions and revoking certificates issued to obvious bad actors phishing with very similar domains (e.g. slight mis-spelling of a bank)
I guess kind of off-topic but even though I am a huge supporter of DNSSEC and DANE, I don't see it as replacing the CA system. I'd rather see the CA system fixed.
-=- Sent my from my laptop, may not be able to respond timely