On Sun, Apr 26, 2015 at 02:37:08PM -0400, Paul Wouters wrote:
> >I've blogged a proposal for a couple of DNS/ DNSSEC extensions that I would
> >be interested in taking forward to the next stage.
> >
> >Would anyone be able to direct me to the correct channel for my proposal?
> >http://pirate.london/2015/04/using-dns-records-to-build-a-more-secure-web/
>
> Why publish HSTS information when you can publish the public key as well
> using a TLSA record? Basically, the presence of a TLSA record means the
> same as HSTS, "do connect with encryption please".
Yes, to harden opportunistic TLS via DNSSEC, use DANE TLSA RRs,
which for clients that support the approach kill two birds with
one stone:
* Whether to authenticate
* How to authenticate
https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-16#section-2.2
https://tools.ietf.org/html/draft-ietf-dane-srv-13#section-4
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
