SM wrote: > > In Section 8.1: > > "If it is less likely that a user will hear about its trusted DNSSEC > validators being hacked that it is of a public CA being compromised" > > I suggest using "compromised" instead of "hacked". Similar to what John complains about, comparing trusted DNSSEC validators to public CAs is comparing apples and oranges. The equivalent of a trusted DNSSEC validator in the PKIX world would be an SCVP server/service! The compromise of the DNSSEC zone data for DANE is probably equivalent to the compromise of an organizational CA signed by a public CA with name constraints to that DNS zone. The compromise of an unconstrained public CA in the PKIX world would be equivalent to a compromise of the root DNSSEC zone data in the DANE world. -Martin