On Mon, Apr 20, 2015 at 10:02 AM, Alice Wonder <[email protected]> wrote: > For each valid certificate, the DNS server will respond as an authoritative > DNS to a request for a TXT record of the serial number. For example: > > dig TXT d3we74ldqw1190.example.pki. +short > > would then get the rdata for that certificate, with a record that can be > DNSSEC validated, if the certificate is valid.
We experimented with this in Chrome, although the TXT record was planned to contain something similar to a signed, OCSP response. We found that ~3–4% of users couldn't lookup TXT records. That rather sunk it since it would need to be hard-fail. Cheers AGL _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
