+1 to the use of CAA/DANE -brian On 09/27/2011 07:34 PM, Rubens Kuhl wrote:
On Tue, Sep 27, 2011 at 7:29 PM, David E. Smith<dave@mvn.net> wrote:
On Tue, Sep 27, 2011 at 17:08, Jimmy Hess<mysidia@gmail.com> wrote:
That is, HTTPs should become assumed. As much as that would be wonderful from a security standpoint, IMO it's not realistic to expect every mom-and-pop posting a personal Web site to pay extra for a static/dedicated IP address from their hosting company (even if IPv6 were widely deployed, Web hosts probably would charge extra for this just on principle), and to pay extra for an SSL certificate, even a "weak" one that only verifies the domain name. Self-signed certificates published thru DNSSEC using CAA/DANE can cost nothing. (And somebody else pointed out SNI to have TLS work without exclusive IP requirement)
Rubens