Re: [dane] Two additions to draft-york-dane-deployment-observations-00

Paul Wouters <> Mon, 10 November 2014 00:55 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id A90641A87C3 for <>; Sun, 9 Nov 2014 16:55:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.594
X-Spam-Status: No, score=-2.594 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.594] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hnIHoh96b367 for <>; Sun, 9 Nov 2014 16:55:09 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D0AEE1A87E8 for <>; Sun, 9 Nov 2014 16:55:09 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 95552817C1; Sun, 9 Nov 2014 19:55:08 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=default; t=1415580908; bh=6Q52/dKSclKEOajpxRGzK/mRMWULBMf3ufzrZUwITjA=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=vHFHgn23YPks019pRqpcNRlLX5vAFwq/3reKBdr/6RHJ3wLJU8AN8uhSTPDIlpG6Z cPgFrqrCBDXNUicTwpZ9JYw278tsmegDoqgY/tLykLW0qyY/HZr5oawXDc01dBySHE 3NKQPso2rPyvA1t2L3uK1Va3xa4hNqTJEZy7ivL8=
Received: from localhost (paul@localhost) by (8.14.7/8.14.7/Submit) with ESMTP id sAA0t8Ll010182; Sun, 9 Nov 2014 19:55:08 -0500
X-Authentication-Warning: paul owned process doing -bs
Date: Sun, 09 Nov 2014 19:55:07 -0500
From: Paul Wouters <>
To: Stephane Bortzmeyer <>
In-Reply-To: <>
Message-ID: <>
References: <>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Subject: Re: [dane] Two additions to draft-york-dane-deployment-observations-00
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 10 Nov 2014 00:55:12 -0000

On Fri, 7 Nov 2014, Stephane Bortzmeyer wrote:

> The first one is that some people distrust the domain name industry
> and feel that it is not safe to exchange the CA for the domain name
> actors (some of them having bad reputations like G... D...). Now, we
> all know it is more complicated than that (usages PKIX-* do not
> required that you drop the CA system, but on the other hand, some
> people fear that, if DANE is in the browser, the registrar, registry
> or the DNS hoster may be able to divert your users to a false site,
> something they could not do before). I don't say that I follow this
> reasoning but I've heard it several times so it could be documented.

And for that, we bring you CT for DNSSEC. Go look at the presentation
and be ready to give us feedback this monday at TRANS :)