On 3 Jul 2015, at 10:44, Michael Catanzaro wrote:
On Fri, 2015-07-03 at 15:43 +0200, Petr Spacek wrote:
For the record, and all this can be solved by DNSSEC + DANE. See RFC
6698.
I was planning to use DANE as a second required check in addition to
the normal certificate chain. That is, if either the certificate chain
doesn't check out or DANE fails, then something is spooky and the site
should be inaccessible. Other browsers are throwing around ideas about
using DANE to make the site accessible in the event the certificate
chain fails, which seems like the wrong direction to me. I haven't
really seen any good arguments in favor of one approach or the other,
though.
Isn't the whole point to eliminate the need for third party
certificate authorities entirely?
Just to clarify what you are saying -- if there is a third party
certificate chain which fails, then you would distrust the site. But
if there is no third party certificate authority chain, and DANE
succeeds, then you would accept the DANE-provided certificate and
trust the site.
--
Mike
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
