On 24.08.2013 03:21, Peter Saint-Andre wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 8/23/13 1:55 AM, Evgeniy Khramtsov wrote:
I admit I'm total noob in all that CA/PKIX/DNSSEC stuff as it makes
me sleepy as hell when I try to dive into it ;) What I'd like to
have is TLS-security without any CAs at all. If we can do that
with DANE/DNSSEC/ABCD, I'm in ;)
I think we're all in -- or we *will* be when DANE/DNSSEC is widely
deployed, which unfortunately won't happen for years (IMHO) because of
all the dependencies on making it work.
In the meantime, something like POSH can help:
https://datatracker.ietf.org/doc/draft-miller-posh/
I read the I-D briefly. It seems like I still need CA-signed certfile
for the HTTPS-server holding the JWK: "... the HTTPS retrieval mechanism
relies on the chain of trust based on the *public* *key* *infrastructure*".
--
Regards,
Evgeniy Khramtsov, ProcessOne.
xmpp:[email protected].
