On Fri, Feb 21, 2014 at 03:19:10PM -0500, Stephen Nightingale wrote: > > - For 0xx and 1xx uses, it is hard to identify a single canonical CA > list. I have overlapping, but different Root Cert sets from Mozilla, > Fedora and Linux Mint. So when searching for an authority to build a > verification chain I cycle through all of these until succeeding or > exhaustion of the possibilities. Some of the DANE 360 listed sets > (including some from members of this group) fail to authenticate > because the root certs are not in my authorities.
I'm not really sure why you can't find the relevant CAs in your root store. It looks like you don't properly build the chain or something? Looking for instance at the fedoraproject.org results, you try all 3 of them, but each time fail, where for all 3 you actually seem to list the root CA as a relevant cert? Kurt _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
