<div><br></div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Feb 26, 2019 at 6:25 AM David Conrad <<a href="mailto:drc@virtualized.org">drc@virtualized.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space"></div><div style="word-wrap:break-word;line-break:after-white-space">On Feb 26, 2019, at 2:35 PM, Ca By <<a href="mailto:cb.list6@gmail.com" target="_blank">cb.list6@gmail.com</a>> wrote:<div><blockquote type="cite"><div><div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Feb 26, 2019 at 1:58 AM Bill Woodcock <<a href="mailto:woody@pch.net" target="_blank">woody@pch.net</a>> wrote:</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
> On Feb 24, 2019, at 10:03 PM, Hank Nussbacher <<a href="mailto:hank@efes.iucc.ac.il" target="_blank">hank@efes.iucc.ac.il</a>> wrote:<br>
> Did you have a CAA record defined and if not, why not?<br>
<br>
It’s something we’d been planning to do but, ironically, we’d been in the process of switching to Let’s Encrypt, and they were one of the two CAs whose process vulnerabilities the attackers were exploiting. So, in this particular case, it wouldn’t have helped.<br>
<br>
I guess the combination of CAA with a very expensive, or very manual, CA, might be an improvement. But it’s still a band-aid on a bankrupt system.<br>
<br>
We need to get switched over to DANE as quickly as possible, and stop wasting effort trying to keep the CA system alive with ever-hackier band-aids.<br>
<br>
-Bill</blockquote><div dir="auto"><br></div><div dir="auto">DNS guy says the solution for insecure DNS is... wait for it.... more DNS ...</div></div></div></div></blockquote></div><br></div><div style="word-wrap:break-word;line-break:after-white-space"><div>Well, no. "DNS guy” (Bill’s a bit more than that, of course) says the solution for a fundamentally broken trust model is a different system to derive trust.</div><div><br></div><div>Or do you think Let’s Encrypt/Comodo increase trust?</div><div></div></div></blockquote><div dir="auto"><br></div><div dir="auto">The trust issue has not yet been solved on the internet. </div><div dir="auto"><br></div><div dir="auto">Swapping the DNS cabal for the CA cabal is not an improvement. Right? They are really the same arbitraging rent-seekers, just different layers. </div><div dir="auto"><br></div><div dir="auto">Using DANE to verify multiple layers is interesting, but the web folks aren’t playing so it won’t go anywhere. Right? Google, Wechat, FB, msft, and Apple aren’t coming along. </div><div dir="auto"><br></div><div dir="auto">Since you mentioned Let’s Encrypt, they have reduced plaint text, which is great. But trust is a harder issue. </div><div dir="auto"><br></div><div dir="auto">For example, Symantec has lost trust. But only after repeated bad actions. </div><div dir="auto"><br></div><div dir="auto"><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space"><div><br></div><div>Regards,</div><div>-drc</div><div><br></div></div></blockquote></div></div>