On Sun, 11 Apr 2021 at 17:00, Viktor Dukhovni <ietf-dane@xxxxxxxxxxxx> wrote:
On Sun, Apr 11, 2021 at 03:34:06PM +0100, Ben Laurie wrote:
> What I mean is that the authorities for DNS get compromised far more often
> than CAs do.
But any compromise of a registrant, registrar or registry also
compromises CA certificate issuance. The CAs are redundant so
long as the attestation they're performing is "domain control".
CT makes that untrue. Why is this not obvious?
> Also, DNS has the same plethora of authorities with varying
> security responsibility.
Choose a security-conscious registrar, and apply registrar lock, and any
other available/applicable options to prevent unauthorised changes to
domain registration metadata.
Of course anyone can trivially figure this out. Not.