Am 07.11.2014 um 19:19 schrieb Michael Ströder:
li...@rhsoft.net wrote:
Well, besides signaling mandatory use of TLS the promise of DNSSEC/DANE is to
mitigate all the risks leading to real security incidents of existing X.509
PKI. But note that most attacks were conducted through crappy RA interfaces.
So ask yourself:
If everybody uses the same sort of crappy registration interfaces for their
DNS entries while simply auto-signing DNS zone entries. Is there a real chance
to achieve the goal?
and BTW - the flaw with CA's is not the possible intrusion in one
the flaw is that the client accepts any cert from any CA of the hundrets
installed by default resulting in *any* compromised CA never signed any
cert for you can (and repeatly did) issue a valid cert for your domain -
in case of DANE that's just impossible
so you compare things which can't be compared at all
summary: you argue completly weird
"TLS SNI support" was your subject
if you now say "boah autosigning and DANE is problem" that has *nothing*
to do with the topic and if then that even your "TLS SNI" would be
worthless without dnssec - see line 1 of my response
