Viktor Dukhovni wrote: > The two models coexist seamlessly, and many existing DANE SMTP > sites use certificates from a public CA.
But you switch off X.509 validation if DANE is used. I'd like to see DNSSEC/DANE/TLSA as an *additional* mechanism but still requiring X.509 validation to be fully performed. With this multiple trust anchors would be effective which is IMO the real solution. Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
