On 6 aug 2014, at 04:26, Dave Crocker <dhc(_at_)dcrocker(_dot_)net> wrote:
Use DANE without DNSSec, and calling it opportunistic probably makes
sense. Using it with DNSSec and it doesn't.
The devil is in the details. I think we disagree on the meaning of the word
"opportunistic", and the evaluation of whether you are lucky enough.
Personally, I think that as fragile the current CA system is, I think DANE
without DNSSEC is more stable and better than the current CA system. And better
than self-signed-certs that one "just accept" (which happens quite a lot).
Patrik
signature.asc
Description: Message signed with OpenPGP using GPGMail