On 2 okt 2014, at 22:56, Doug Montgomery <[email protected]> wrote:
> Having a scalable, simple, but definitive way to indicate that a previously
> valid email-identity/certificate is no longer valid within a given domain is
> a useful feature that doesn't seem to have an analog use case in TLS.
If you trust in DANE, and the certificate is no longer published in DNS, it is
not valid - no revocation is needed.
If you do not trust in DANE, normal/legacy revocation procedures (OCSP/CRL)
applies.
my 0.01€,
jakob
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
