Conversation

This Tweet was deleted by the Tweet author. Learn more
Replying to
Please don't let them impose inane policies on what sort of DANE records are acceptable for web. Anything should be accepted and completely override webpki if DANE semantics say it does (DANE-EE(3) or -TA(2) vs PKIX-*(0 or 1)).
3
Replying to
They aren't going to implement it. It's very clear that it isn't going to happen. It's never going to get implemented if it's only advocated as a replacement for WebPKI instead of something usable alongside it. I want it to get implemented.
2
Replying to and
Replaced those tweets with another one that's less specific about how they could address the concerns they've raised about it in the past. It can be implemented in a way that sidesteps all of their concerns and then those things can be argued over time as separate issues.
1
Replying to
Support DNSSEC and verify TLSA records on top of what they already implement rather than replacing it. As long as I can pin the public keys of leaf certificates, I'll be happy. I don't care about avoiding the need to use something like Let's Encrypt. Not a hill I want to die on.
2