On 17 apr 2013, at 01:11, Paul Hoffman <[email protected]> wrote:
>> It is not possible to do path validation without having the full trust
>> anchor certificate,
>
> Errr, why not? If the client has a certificate that says "the public key of
> the trust anchor that signed me is keyX", and you get keyX from TLSA, why do
> you need a full trust anchor certificate?
Sure, I was referring to "IN TLSA 2 x [12]", where only the hash of the
cert/key is available via DNS.
jakob
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
