Dear all, Spurred by recent IDs and events I've been thinking harder about how to get what we want out of TLS, DNS, and their interaction at the WebPKI.
Fundamentally browsers can't rely on DNS to provide information about authentication because resolvers break that connection, and enforcing that means a lot of important things don't work. DNSSEC never gives the right signal (vanishes at resolver) so DANE doesn't really work, even if we could resolve extra records reliably. To my mind the registry should be able to issue X509 certs for second level domains/whoever controls a public suffix. After all, they know where you change DNS. Haven't sorted out how to deal with the level below that. Do others find this line of thought compelling? Sincerely, Watson Ladd -- Astra mortemque praestare gradatim _______________________________________________ Uta mailing list -- uta@ietf.org To unsubscribe send an email to uta-le...@ietf.org
