On Apr 19, 2013, at 1:29 PM, Richard Barnes <[email protected]> wrote: > Just a thought: It might be simpler to do S/MIME certificate discovery using > WebFinger than using DANE. You would just have to do an HTTPS query to a URI > of the form... > > <https://example.com/.well-known/webfinger?resource=mailto:[email protected]&rel=certificate> > > ... then parse a JSON object to find the certificate. As opposed to having > an appropriately upgraded DNS library, being able to do DNSSEC, and parsing > the binary record format.
That might be a good way to do certificate discovery, but not really a good way to have a second trust anchor if one wanted to get away from the distributed PKIX hierarchies. There are plenty of ways to do certificate discovery. The question is how to be sure that the certificate you get is one you want to use. > This process could still benefit from DANE, via TLSA validation on the HTTPS > connection. And basically the only documentation you would need would be to > define the "certificate" relation type. Um, doesn't that wipe out the supposed advantages you list above? --Paul Hoffman _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
