[Cryptography] Certificates and PKI

Paul Wouters paul at cypherpunks.ca
Sat Dec 27 12:22:21 EST 2014

On Sat, 27 Dec 2014, Viktor Dukhovni wrote:

>>> However evidence of the parent serving the child zone, as if no
>>> delegation existed, is more difficult to accomodate in a transparency
>>> scheme.
>> Exactly.
> CT for parent domains serving entries in what should be a child
> domain is doable I think.

As someone told me offline, qname minimalization actually solves this

> I've not been following the "trans" working group, is there a
> plausible design for CT for DNSSEC, or do the problems look
> intractable?

That discussion has started, but the WG first wants to focus on the core
documents and complete those before moving into the other areas such as
DNSSEC and binary blob transparency.


More information about the cryptography mailing list