On Fri, Aug 30, 2019, 20:30 Randy Bush <randy@psg.com> wrote:
> There is still too much money in the CA business.

well, though on the surface i agree, i do not take it as a motivation to
add one more chunk of sysadmin.

> Which is the reason why no major browser does TLSA validation.

well. there is the extra protocol turn.  agl tried and backed off,
seemingly because of that.

The problem with the added extra lookup which added more latency, which increased the chances for packet loss, causing expensive timeouts and retransmitions had been somewhat worked on but abandoned [1] and wont be revisited due to [2] being the browser community take on this afaik. 

Given that Let's encrypt own root which was supposed to be pushed out this July but got delayed til 2020 is widely trusted by browser, one can hardly claim that the browser community is run by some "cert cabal" 

If the "cert cabal" will try anything it will be to block acceptance and or usage of self and Let's encrypt signed certs with high profile cloud providers because that's where the money is and corporates are somewhat vendor locked in there, which makes them an easy pray for additional fees..

JBG

1.
https://www.imperialviolet.org/2011/06/16/dnssecchrome.html
2. http://www.certificate-transparency.org