‎On the latest "Security Now" podcast, Steve Gibson's makes noises about 
DNSSEC/DANE replacing certs, but not in detail. You can search for DANE in the 
transcript. I don't recall if he ever explained this in detail, and if he did, 
I probably wouldn't understand.
https://www.grc.com/sn/sn-579.htm
I don't use Twitter, and if I did, I couldn't discuss DNSSEC/DANE 
intelligently, but feel free to engage him. 
https://mobile.twitter.com/sggrc

I have a self signed cert for email, so the cert I will buy is only for my 
website. I guess I have to buy one per domain. But I do no e-commerce or 
anything really requiring security on the sites. Rather Google is going to 
start lowering page rank if you aren't encrypted, plus it has made encryption a 
defacto requirement for http2. (The standard doesn't require encryption, but 
Chrome won't use http2 without it.)



  Original Message  
From: Alice Wonder
Sent: Saturday, October 1, 2016 3:29 AM
To: postfix-users@postfix.org
Subject: Re: WoSign/StartCom CA in the news

On 09/30/2016 06:52 AM, John @ KLaM wrote:
> Yes, I understand DANE can be used for MTAs. My musing is could it
> completely replace the existing CA mess, and I suppose the follow up is
> how?
>
>

I do not see it as a replacement for the CA mess but rather as a form of 
2-factor authentication.

There is still validity to the PKI/CA infrastructure, such as EV 
certificates for financial institutions and revoking certificates issued 
to obvious bad actors phishing with very similar domains (e.g. slight 
mis-spelling of a bank)

I guess kind of off-topic but even though I am a huge supporter of 
DNSSEC and DANE, I don't see it as replacing the CA system. I'd rather 
see the CA system fixed.

-=-
Sent my from my laptop, may not be able to respond timely

Reply via email to