On Tue, Feb 27, 2018 at 11:24:31AM -0500, Shumon Huque wrote: > On Tue, Feb 27, 2018 at 10:59 AM, Shumon Huque <shu...@gmail.com> wrote: > > Several of us were well aware of this during the early days of the > > draft, but perhaps many folks did not fully appreciate the impacts > > until I elaborated on them last year, and added text that described > > the "adversary with fraudulently obtained PKIX credentials" attack. > > Following up to my own message, sorry .. > > It occurred to me that perhaps a good way to mitigate this risk is > a combo of mechanisms like CAA and Certificate Transparency logs.
NO. That's insanely complicated. A pin-for-X-minutes TTL is trivial. Let's do this pin-to-DANE thing. Nico -- _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
