On the latest "Security Now" podcast, Steve Gibson's makes noises about DNSSEC/DANE replacing certs, but not in detail. You can search for DANE in the transcript. I don't recall if he ever explained this in detail, and if he did, I probably wouldn't understand. https://www.grc.com/sn/sn-579.htm I don't use Twitter, and if I did, I couldn't discuss DNSSEC/DANE intelligently, but feel free to engage him.
https://mobile.twitter.com/sggrc I have a self signed cert for email, so the cert I will buy is only for my website. I guess I have to buy one per domain. But I do no e-commerce or anything really requiring security on the sites. Rather Google is going to start lowering page rank if you aren't encrypted, plus it has made encryption a defacto requirement for http2. (The standard doesn't require encryption, but Chrome won't use http2 without it.) Original Message From: Alice Wonder Sent: Saturday, October 1, 2016 3:29 AM To: postfix-users@postfix.org Subject: Re: WoSign/StartCom CA in the news On 09/30/2016 06:52 AM, John @ KLaM wrote: > Yes, I understand DANE can be used for MTAs. My musing is could it > completely replace the existing CA mess, and I suppose the follow up is > how? > > I do not see it as a replacement for the CA mess but rather as a form of 2-factor authentication. There is still validity to the PKI/CA infrastructure, such as EV certificates for financial institutions and revoking certificates issued to obvious bad actors phishing with very similar domains (e.g. slight mis-spelling of a bank) I guess kind of off-topic but even though I am a huge supporter of DNSSEC and DANE, I don't see it as replacing the CA system. I'd rather see the CA system fixed. -=- Sent my from my laptop, may not be able to respond timely