On Friday, April 19, 2013, Tony Finch wrote: > Richard Barnes <[email protected]> wrote: > > > > The benefit of this one is that you don't actually need the cert. You > > could just provision a public key this way. The binding of the public > key > > to the identity is done by virtue of the the fact that the web server > > represents "example.com". It's conceptually the same as if you had put > a > > TA in DNSSEC, it just routes through the HTTPS cert. > > How do you represent this relationship in a form you can verify offline? > > Tony.
With public keys, you wouldn't. With PKIX, you could have WF assert a TA for the domain, just like DANE. --Richard > -- > f.anthony.n.finch <[email protected] <javascript:;>> http://dotat.at/ > Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at > first. > Rough, becoming slight or moderate. Showers, rain at first. Moderate or > good, > occasionally poor at first. >
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
