|
|
|
|
|
|
by tptacek
691 days ago
|
|
|
'agl wrote a blog post about it. There were two big problems, one in principle and one practical. The practical: you can't reliably run DNSSEC everywhere Chrome runs. Networks get really fucky with any even slightly unusual DNS messages. The principle: because you can't realistically ever declare a "flag day" and deprecate the X.509 WebPKI, you have to support both systems, so DANE doesn't collapse your trust anchors down to a smaller set; it actually adds to the number of things you have to trust. |
|
|
It's really tragic that the Internet is so ossified. (Not just in this regard, but in many others.)