|
|
|
|
|
|
by tptacek
1171 days ago
|
|
|
DANE is even worse than the CAs in this regard. Nobody trusts the CAs, so they all have to record all their issuances in a transparency log. If a CA misissues, the browsers will kill it (as has happened with some of the largest CAs). There's no way to revoke a misissued DNSSEC signature and there's no transparency log for DNSSEC, nor will there ever be, because the browsers can't force DNS registries to implement it the way they could force CAs. |
|
|
Another day in tech, another deep sigh.