Sander Steffann <san...@steffann.nl> writes: > Yep. I wish the use of TLSA was more wide spread. It doesn't require > third parties to "certify" who is who.
+1 There is still too much money in the CA business. Which is the reason why no major browser does TLSA validation. And why "best practices" allow, or even recommend, inferior solutions like CAA, HPKP and other bad ideas instead of DANE. You gotta look at the source of those recommendations. They are most likely "best" for someones wallet. Not necessarily for security. It's amazing that they still try to make those pigs fly. Bjørn
