Hi, I've this web site for which I've enabled a Let's Encrypt server certificate.
Now I have the choice of either PKIX-TA (TLSA 0 x y) or DANE-DA (TLSA 2 x y) records, or both. My main question is: What's the value of choosing one above the other? If I chose PKIX-TA, it means that a client who doesn't have the Let's Encrypt root certificate in their CA-store won't accept my certificate/site. On the other hand, if I chose DANE-TA, are there any clients who won't accept my certificate/site because it might not be part of the clients list of vakid CA's? Browsing the web, I hardly see any pages argue for PKIX-TA (0 x y) TLSA records. Is the consensus that DANE-TA is sufficient to make clients accept my site when the records match the site? In other words: which one (PKIX-TA or TLSA-TA) to chose? Cheers, Guido Witmond
0x2568D466.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
