On 22.08.2013 09:03, Phil Pennock wrote:
On 2013-08-21 at 12:52 -0600, Peter Saint-Andre wrote:
5. No server-to-server connections without TLS.
6. Require proper certificate checking (RFC 6120 / RFC 6125) for TLS
negotiations.
7. Require support for CRLs/OCSP to detect expired/revoked certs.
And there are probably more.
DNSSEC and DANE verification to avoid requiring third party certificate
authorities (beyond "DNS management")?
I might be wrong, but DANE still requires CA to sign your certfiles.
--
Regards,
Evgeniy Khramtsov, ProcessOne.
xmpp:x...@jabber.ru.
