Last message in the thread: no 0-RTT is not some NSA backdoor (Dear HN: grow up), there are no intentional back doors in TLS1.3, and it is still overall AWESOME AND EXCITING and we'll be adding it to s2n ... VERY SOON. EOF.
Not having DNSSEC also gives you 0 DNSSEC related outages. My core point is that if it were just a harmless experiment, it'd be fine. Outages change it from a "HOLD" to a "SELL".
-
-
Expired certificates also create outages. Running a production network requires operational discipline. Folks who don't have it often outsource to folks who do. Cloudflare hosts tends of thousands of DNSSEC-signed domains just fine.
-
You're right about expired certificates, but TLS provides actual security too. That's my sense of the cost-benefit trade-off. DNSSEC isn't worth it. CloudFlare could be 100% perfect at operations and still suffer when an ISP screws up DNSSEC on the resolvers. Not so with TLS.
- 22 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.