On Wed, Aug 06, 2014 at 06:39:37PM -0400, John C Klensin wrote: > The other end is equally bad. DNSSEC protects the integrity of > data already stored in the DNS. But, if the proverbial Bad Guy > can compromise a domain name registrar and register a name that > is misleading or otherwise problematic, certificates tied to > that name may not be very useful, especially as assertions of > good and upright behavior associated with, e.g., mail traffic. > Whether DANE-type certificates that depend on DNSSEC and > registrar integrity are more of less trustworthy than PKI-type > certificates that depend on certificate chains, > low-assertion-quality certificates, and CA integrity is an > interesting question... but one that might easily be resolved by > a race to the bottom. If folks want to continue this nuanced tangential discussion, perhaps a separate thread on saag, or on Perry's cryptography list would be more appropriate. I'm having a hard enough time keeping track of all the on-topic LC mail. I am Redirecting replies to saag only, and changing the subject. With any luck I've also removed the "References:" header, thus severing the new thread from the original. [ For what it is worth, I for one, don't expect certificates to warrant trustworthy or upright counterparty behaviour. I only expect them to ensure channel integrity for my connection to whichever deviant fraudster I've chosen to connect to. :-) Please express any disagreement or agreement or disagreement with that sentiment in another thread. Thanks. ] -- Viktor.