[Top] [All Lists]

Re: [ietf-smtp] DANE without DNSSEC (was: certificate pinning)

2014-06-17 13:26:48
On Tue, Jun 17, 2014 at 8:39 AM, Brandon Long <blong(_at_)google(_dot_)com> 
Of course, my point is that clearly DANE is better than nothing and DNSSEC
makes it better.  I don't see what leaving out DNSSEC adds holes that don't
already exist worse without DANE.

I was hoping there was something I was missing in my analysis that explained

DANE is better than nothing in some cases but also can be worse than
nothing in other cases.  It all comes down to whether the DANE record
has a certificate usage that specifies to skip checking the trust
store.   Without DNSSEC, this leaves no functional trust chain.

ietf-smtp mailing list