On Fri, Sep 30, 2016 at 08:36:58AM -0400, John wrote: > This may be way off topic, if I apologise.
Not really, not much anyway. > Looking a the available CAs many of them do not seem to pass the > /s//niff test//./ WoSign/Startcom are not alone in being found to > be either incompetent or dishonest. Which made me wonder if there > might be an alternative to CA issued certs. Is there anyway that > DNS/DNSSEC could be used to publish and verify certs. It's called DANE, see RFC 6698 and Victor's post earlier in this thread. To understand this you need to understand the different roles a Postfix MTA might serve. DANE is for MTA-to-MTA mail exchange. WebPKI (commercial or free) certs are more useful for user-to-MTA (MSA) submission. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
