On 11/06/2018 02:58 PM, Viktor Dukhovni wrote:
Here I disagree, or misunderstand your point. With a fresh DNSSEC-validated TXT record, there seems to be little reason to cache, and you even get downgrade protection on first contact. What you don't get is defense from compromise of any of the all too many WebPKI CAs, and the weak DV domain verification they perform. But if that's all that's available, it is better than nothing.
Okay, I defer to your expertise and better grasp of the issues. _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
