On 2/10/11 8:09 PM, Eddy Nigg wrote:
There are additional steps CAs can/should/do besides checking domain
control - even in the DV settings.
Ok, so the theory here is that some DV CAs do some stuff above and
beyond baseline domain validation. We don't really know who is doing
how much of thi
On 02/11/2011 01:33 AM, From Stephen Schultze:
You cut off the end of the sentence, which made clear that I was
referring to how the *trust* of the CA model relies on blind trust of
the data in DNS. Any fundamental trust model shortcoming of DNS is
likewise a shortcoming of CA DV. You've neve
On 2/10/11 5:36 PM, Eddy Nigg wrote:
On 02/10/2011 10:40 PM, From Stephen Schultze:
Until you actually explain why you think it's not correct that DV
relies on DNS,
I didn't say DV doesn't rely on DNS, almost everything on the [net] uses it.
Of course, but the fact that apps use DNS irreleva
On 02/11/2011 12:36 AM, From Eddy Nigg:
I didn't say DV doesn't rely on DNS, almost everything on the *NET*
uses DNS.
Corrected.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP:start...@startcom.org
Blog:http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
--
dev-tec
On 02/10/2011 10:40 PM, From Stephen Schultze:
Until you actually explain why you think it's not correct that DV
relies on DNS,
I didn't say DV doesn't rely on DNS, almost everything on the DNS uses it.
or what beyond domain validation that you think DV actually does,
there's really nothing t
On 2/10/11 3:33 PM, Eddy Nigg wrote:
On 02/10/2011 08:51 PM, From Stephen Schultze:
As I have said repeatedly (and you have never addressed) the CA DV
model relies on DNS and thus imports any vulnerabilities that exist in
a DNS-based model. CA DV blindly trusts DNS.
That's exactly your mistak
On 02/10/2011 08:51 PM, From Stephen Schultze:
As I have said repeatedly (and you have never addressed) the CA DV
model relies on DNS and thus imports any vulnerabilities that exist in
a DNS-based model. CA DV blindly trusts DNS.
That's exactly your mistake, you are not correct.
The only t
On 2/10/11 1:25 PM, Eddy Nigg wrote:
On 02/10/2011 07:20 PM, From Steve Schultze:
Zack, arguing with Eddy on this point is a losing proposition.
DNSSEC+TLSA is has some demonstrably superior characteristics to CA
DV, but Eddy is not willing to concede this or even give detailed
reasoning.
Well
On 02/10/2011 07:20 PM, From Steve Schultze:
Zack, arguing with Eddy on this point is a losing proposition.
DNSSEC+TLSA is has some demonstrably superior characteristics to CA
DV, but Eddy is not willing to concede this or even give detailed
reasoning.
Well, we know about the advantages and s
On 2/7/11 6:31 PM, Robert Relyea wrote:
My primary worry of the this spec as is is that DNSSEC is trying to be
the end-all-be-all authority. That's a recipe for disaster. Keeping all
my server keys in sync with the DNSSEC record? And if I have OV/EV, I
have to keep it in sync with the certificate
On 2/6/11 1:01 PM, Eddy Nigg wrote:
On 02/06/2011 07:11 PM, From Zack Weinberg:
I'm going to ask you the same question I asked Nelson: In a
hypothetical world where DNSSEC+TLSA completely supersedes DV (but
people still use OV/EV for high-value sites) what do you see as having
been lost? Or, tur
11 matches
Mail list logo
