undefined | Better HN

0 pointsIshKebab10y ago0 comments

The TL;DR of that is:

1. DNSSEC uses a lot of 1024-bit RSA signatures (those are relatively weak) 2. You can't monitor the certificates that CA's issue because anyone issue their own certificates.

The first issue seems valid, but fixable. The second is a weird thing to complain about because it is the entire point of DANE!

0 comments

nickik10y ago

Fixable but very unlikely to be fixed anytime sone. Plus the tons of technical issues that make it even more of a problem to use and maintain. To make it viable it would probably have to start over.

I'm not holding my breath.

j / k navigate · click thread line to collapse