> On Aug 31, 2016, at 9:42 PM, Randy Bush <randy@xxxxxxx> wrote: > > what is authenticated? tofu and authentication are antithetical. Except for (allegedly) EV certs, the entire Web PKI runs on TOFU, except that it happens invisibly (swept under the rug) between the CA and the purported domain owner. Thus DV certs are TOFU for public consumption, where the CA gets to regurgitate the same TOFU to feed all the relying parties. -- Viktor.