12 Sep
2011
12 Sep
'11
11:12 a.m.
as eliot pointed out, to defeat dane as currently written, you would have to compromise dnssec at the same time as you compromised the CA at the same time as you ran the mitm. i.e. it _adds_ dnssec assurance to CA trust. Yes, I saw that. It also drives up complexity too and makes you wonder what the added value of those cert vendors is for the money you're forking over. Especially when you consider the criticality of dns naming for everything except web site host names using tls. And how long would it be before browsers allowed self-signed-but-ok'ed-using-dnssec-protected-cert-hashes?
agree