-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Wed, 2016-04-13 at 17:19 -0700, Franck Martin via mailop wrote: > You can verify that the certificate is trusted (based on your list of > trusted CAs), but there are no good method to do hostname > verification. May be a FCrDNS would allow you to compare with the DNS > names in the SubjectAltNames of the certificate...
dnssec/dane with tlsa records. If we are willing to accept dkim keys via insecure dns, why not also accept tls keys in tlsa records? If the target domain is dnssec secure, so much the better. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAlcO6OIACgkQL6j7milTFsF4sACfXrbqfUhbYoSEy2f/Ixg5HKLY LtUAn27mlPTooYCIJGRcox6/XtcYzHJP =zyY6 -----END PGP SIGNATURE----- _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
