On Tue, Jul 2, 2013 at 2:36 AM, Guido Witmond <gu...@witmond.nl> wrote: > ... > Check > http://perspectives.project.org; > Transparency: http://www.certificate-transparency.org/; > or others. > ... > Publish the sites' TLS certificate in DNSSEC with DANE. Or use the CAA > proposal.
i would still prefer the best option where available: certificate pinning from the service and application provider directly. e.g. Google Chrome cert pins for Google services. you can also roll your own root and server certificate validation rules using out of band determination of "valid" server / ca certs if you don't trust third parties to do this properly! difficulty varies by application and platform... -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
