Matt Larson <[email protected]> wrote: > > Is there a reason you don't include a third option: retrieving the trust > anchor file published by IANA/PTI > (https://data.iana.org/root-anchors/root-anchors.xml) and validating > with the detached S/MIME signature published in the same place > (https://data.iana.org/root-anchors/root-anchors.p7s)? That signature > chains to the ICANN CA cert, which currently expires in 2029.
Is there anything like the KSK operator DPS for that CA cert and the signatures that are generated with it? Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ - I xn--zr8h punycode Southwest Viking: Westerly veering northwesterly 6 to gale 8. Rough or very rough. Rain at times. Moderate or good. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
