On 6 aug 2014, at 04:26, Dave Crocker <dhc@xxxxxxxxxxxx> wrote: > Use DANE without DNSSec, and calling it opportunistic probably makes > sense. Using it with DNSSec and it doesn't. The devil is in the details. I think we disagree on the meaning of the word "opportunistic", and the evaluation of whether you are lucky enough. Personally, I think that as fragile the current CA system is, I think DANE without DNSSEC is more stable and better than the current CA system. And better than self-signed-certs that one "just accept" (which happens quite a lot). Patrik
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail