Great, it looks like the proposed standard for hardening SMTP/TLS could be repurposed for either http(s) or arbitrary ports as per my proposal no?
Separate email thread for my alternate names suggestions? On Sun, Apr 26, 2015 at 8:41 PM, Viktor Dukhovni <[email protected]> wrote: > On Sun, Apr 26, 2015 at 02:37:08PM -0400, Paul Wouters wrote: > >> >I've blogged a proposal for a couple of DNS/ DNSSEC extensions that I would >> >be interested in taking forward to the next stage. >> > >> >Would anyone be able to direct me to the correct channel for my proposal? >> >http://pirate.london/2015/04/using-dns-records-to-build-a-more-secure-web/ >> >> Why publish HSTS information when you can publish the public key as well >> using a TLSA record? Basically, the presence of a TLSA record means the >> same as HSTS, "do connect with encryption please". > > Yes, to harden opportunistic TLS via DNSSEC, use DANE TLSA RRs, > which for clients that support the approach kill two birds with > one stone: > > * Whether to authenticate > * How to authenticate > > https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-16#section-2.2 > https://tools.ietf.org/html/draft-ietf-dane-srv-13#section-4 > > -- > Viktor. > > _______________________________________________ > dane mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dane _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
