Am 30.11.2016 um 21:57 schrieb sivmu: > when pinning your certificates you can include one whose > coresponding key is not on the machine but acts as the backup key, maybe > even offline.
Not "can", its not an option it is mandatory! The browsers will NOT accept HPKP pinning if you don't add an currently unused backup key. Regarding DANE and HTTPS: It's not the Client who checks the TLSA-Records and verifies the KSK/ZSK Signatures, it's your Nameserver. Only few people host theyr own Nameserver at home or on theyr smartphone etc... - usually the Nameserver of your ISP is used - so: just intercept the last mile and DANE is broken.
_______________________________________________ Ach mailing list [email protected] http://lists.cert.at/cgi-bin/mailman/listinfo/ach
