On 28 Sep 2018, at 8:32, manu tman wrote: > I have been thinking of a way to authenticate DoT servers for delegations > that cannot be validated using DANE as describe in Stephane’s draft > https://tools.ietf.org/html/draft-bortzmeyer-dprive-resolver-to-auth-01 > > The idea is to leverage both DNSSEC and SPKI to authenticate a zone but by > relying on the parent to validate the public key. I have documented it at > > https://datatracker.ietf.org/doc/draft-bretelle-dprive-dot-for-insecure-delegations/ > > Feedback is welcomed. Thanks
This approach (putting the SPKI in the parent) seems fine, as long as the parent is signed. If I read it correctly, it would not work securely if the parent is not signed, correct? Also, I disagree with the logic in Section 3.1 on using PKIX. Using PKIX certificates does not mean using the same CA structure as the web PKI, and trusting CAs for nameservers could be made a lot better than the current CABForum rules. --Paul Hoffman
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
