> CT or no CT, you won't catch CAs MITMing you until it's too late, and even with CT you depend utterly on the sites you visit actually auditing CT.
You won't catch a malicious nameserver operator, if they wish to MITM a specific victim, ever. There's no monitoring at all. While utterly depending on the fact they even enforce DNSSEC.
What's worse is that DNSSEC keys tend to live very long, if those are compromised, it will probably be abusable for years.
> a) perform the same lookups in different networks, b) you can download, cache, and check . and TLDs so you can catch those lying (which is 99% of the battle).
But if you're not the victim, it's unlikely you'll ever notice as a site operator. CT in that sense is different and much better as you can't rely on end-users reporting these things.
DNSSEC right now is a much much worse PKI than WebPKI is.
> CT or no CT, you won't catch CAs MITMing you until it's too late, and even with CT you depend utterly on the sites you visit actually auditing CT.
You won't catch a malicious nameserver operator, if they wish to MITM a specific victim, ever. There's no monitoring at all. While utterly depending on the fact they even enforce DNSSEC.
What's worse is that DNSSEC keys tend to live very long, if those are compromised, it will probably be abusable for years.
> a) perform the same lookups in different networks, b) you can download, cache, and check . and TLDs so you can catch those lying (which is 99% of the battle).
But if you're not the victim, it's unlikely you'll ever notice as a site operator. CT in that sense is different and much better as you can't rely on end-users reporting these things.
DNSSEC right now is a much much worse PKI than WebPKI is.