ietf-smtp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-smtp] DANE without DNSSEC (was: certificate pinning)

2014-06-17 13:26:48
from [Peter Bowen] [Permanent Link] 
On Tue, Jun 17, 2014 at 8:39 AM, Brandon Long <blong(_at_)google(_dot_)com> 
wrote:

Of course, my point is that clearly DANE is better than nothing and DNSSEC
makes it better.  I don't see what leaving out DNSSEC adds holes that don't
already exist worse without DANE.

I was hoping there was something I was missing in my analysis that explained
it.


DANE is better than nothing in some cases but also can be worse than
nothing in other cases.  It all comes down to whether the DANE record
has a certificate usage that specifies to skip checking the trust
store.   Without DNSSEC, this leaves no functional trust chain.

_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-smtp] DANE without DNSSEC (was: certificate pinning), John Levine
Next by Date:  Re: [ietf-smtp] DANE without DNSSEC (was: certificate pinning), Mark Andrews
Previous by Thread:  Re: [ietf-smtp] DANE without DNSSEC (was: certificate pinning), John Levine
Next by Thread:  Re: [ietf-smtp] DANE without DNSSEC (was: certificate pinning), Mark Andrews
Indexes:  [Date] [Thread] [Top] [All Lists]