On 04/10/10 15:37, Martin Rex wrote: > One thing that needs to be addressed/solved is the key/cert rollover > for any TLS-Server, so that it is possible to list more than one > server cert as "valid" for a Server through DNS, at least for the > time of the transition/rollover.
Maybe a side-issue here, but this came up in the W3C WSC work and I wrote up an idea for that (not based on DNS) which is RFC 5697. [1] No idea if anyone is using or would use it, though I did have a student implement it, so it *could* work. (Note: that's an experimental-track RFC, as it ought be:-) S. [1] http://tools.ietf.org/html/rfc5697 _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
