On 03/22/2013 08:30 PM, Viktor Dukhovni wrote:
On Fri, Mar 22, 2013 at 07:30:57PM +0100, Guido Witmond wrote:
So no new OpenSSL library code is required to support this, if one
stares at the (lightly documented) OpenSSL API hard enough, but
still "IN TLSA x 0 0" looks unwieldy.
I seems you're somehow confused, or I'm not understanding your
reply. The "3 1 1" and "2 1 1" use cases cover everything other
than how the mechanism for conveying the TA issuing certificate.
To clear up any confusion, I wanted to give an example of why I use
2-0-0 full certificates and I'm not convinced to give them up, yet.
Although your DNS-cache arguments are quite compelling.
thanks, Guido.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
