And how is that definitively distinguishable from that email identity never having a CERT in DANE in the first place?
dougm On Thu, Oct 2, 2014 at 5:00 PM, Jakob Schlyter <[email protected]> wrote: > On 2 okt 2014, at 22:56, Doug Montgomery <[email protected]> wrote: > > > Having a scalable, simple, but definitive way to indicate that a > previously valid email-identity/certificate is no longer valid within a > given domain is a useful feature that doesn't seem to have an analog use > case in TLS. > > If you trust in DANE, and the certificate is no longer published in DNS, > it is not valid - no revocation is needed. > If you do not trust in DANE, normal/legacy revocation procedures > (OCSP/CRL) applies. > > my 0.01€, > > jakob > > -- DougM at Work
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
