On Tue, 10 Jul 2018, Adam Roach wrote:
On 7/10/18 9:59 AM, Paul Wouters wrote:
It seems more like an extension of the Public Suffix. Which domains can
make claims about other domains.
Based on the conversation that took place in DoH in Singapore, I think it's
mostly *not* about this. The questions that have come up so far include: (a)
If the record that is pushed to me is DNSSEC signed, is that sufficient to
trust it? (b) If the record that is pushed to me is not DNS signed, but I'm
using it in a context that requires TLS (e.g., HTTPS), and the thing that I
connect to when I use the record can present a cert that proves its identity,
is that okay?
I see. I guess I agree more now with the previous poster that this is
more like yet another kind of "transparancy" workaround for not wanting
to deploy dnssec :)
I understand that having a WebPKI and a DANE PKI leads to an unwanted
mixture of trust models. It might be useful to talk about that, especially
in light of tls-dnssec-chain where it seems that some proposals result
in a preventative block of a DANE PKI for no apparent other gain.
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
