On Mon, 5 Nov 2018, Salz, Rich wrote:
Is it fair to describe the draft as enabling a trust model based on DNSSEC, rather than the default X.509 hierarchy and trust store which is implemented by default?
The draft tries to enable a trust model based on DNSSEC, but due to missing pinning, fails to deliver that. A better way is saying the draft enables a trust model that restricts the webpki, addressing the problems of too many unrestricted root CA players being accepted by TLS clients these days [provided the draft adds a mechanism like pinning to prevent downgrade attacks] Paul _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
