Am 07.11.2014 um 19:19 schrieb Michael Ströder:
li...@rhsoft.net wrote:
Well, besides signaling mandatory use of TLS the promise of DNSSEC/DANE is to
mitigate all the risks leading to real security incidents of existing X.509
PKI. But note that most attacks were conducted through crappy RA interfaces.

So ask yourself:
If everybody uses the same sort of crappy registration interfaces for their
DNS entries while simply auto-signing DNS zone entries. Is there a real chance
to achieve the goal?

and BTW - the flaw with CA's is not the possible intrusion in one

the flaw is that the client accepts any cert from any CA of the hundrets installed by default resulting in *any* compromised CA never signed any cert for you can (and repeatly did) issue a valid cert for your domain - in case of DANE that's just impossible

so you compare things which can't be compared at all

summary: you argue completly weird
"TLS SNI support" was your subject

if you now say "boah autosigning and DANE is problem" that has *nothing* to do with the topic and if then that even your "TLS SNI" would be worthless without dnssec - see line 1 of my response

Reply via email to