On Thu, Dec 11, 2014 at 05:22:03PM -0800, Ian Fette (????????) wrote:
> Sorry, just reading the SMIMEA stuff for the first time, so apologies for
> the basic question, but do I really have to publish a record for each
> address? How would I say "this is a trusted intermediate CA for *@gmail.com
> "?
That would look like so:
;; insert CNAMEs for any desired indirection when
;; the same set of SMIMEA RRs handles multiple domains
;;
*._smimecert.gmail.com IN SMIMEA 2 0 1 <blob>
Keep in mind that this only supports signature verification, not
encryption, one can't encrypt to an intermediate CA, one needs the
leaf public key for that. So enabling encryption on first contact
requires publishing per-user keys by some means.
Otherwise all one gets is authenticated key exchange, possibly
followed later by encryption once leaf keys have been exchanged in
both directions.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
