On 2013-10-30 at 10:17 +0100, Tomek Nagisa wrote: > > Looks cool. Is there an intention to support TLSA+DNSSEC > > providing a trust anchor to override the automatic F grade > > for having an untrusted CA cert? > > Change TLSA record from "IN TLSA (2 0 0 ..." to " IN TLSA (3 0 0 "?
No, because the TLSA record is for the CA, not for the server certificate. I have TLSA records for each CA I have certs for, and then the relevant anchor names have CNAMEs pointing to the relevant CA record. I will be changing from "2 0 0" to something smaller, to avoid packet size issues, at some point in the future; this is why I've made sure that the trust anchor cert is included in the cert chain sent inside TLS as part of the handshake. Viktor Dukhovni has a relevant Draft out on operational concerns which explains this well. In fact, it looks like it's been renamed and taken on as an IETF WG product: draft-ietf-dane-ops-01.txt. http://tools.ietf.org/html/draft-ietf-dane-ops-01 -Phil
pgplVUQkyQmo1.pgp
Description: PGP signature
