On 23.08.2013 17:43, Dave Cridland wrote:
You're wrong, actually. But what Phil suggested here was using it for
CA pinning, where the certificate is signed by a CA not in your list
of trust anchors, where trust in the chain derives from DNSSEC.
As a more complete explanation, dnssec allows records that publish the
CA, or certificate, of a service, and whether it is the only such
object acceptable or whether it is merely additionally acceptable (ie,
if normal PKIX rules apply as well or not). Very flexible, very
powerful, well with looking into.
I admit I'm total noob in all that CA/PKIX/DNSSEC stuff as it makes me
sleepy as hell when I try to dive into it ;) What I'd like to have is
TLS-security without any CAs at all. If we can do that with
DANE/DNSSEC/ABCD, I'm in ;)
--
Regards,
Evgeniy Khramtsov, ProcessOne.
xmpp:[email protected].
