On 23 Aug 2013 08:30, "Evgeniy Khramtsov" <xramt...@gmail.com> wrote: > > On 22.08.2013 09:03, Phil Pennock wrote: >> >> On 2013-08-21 at 12:52 -0600, Peter Saint-Andre wrote: >>> >>> 5. No server-to-server connections without TLS. >>> >>> 6. Require proper certificate checking (RFC 6120 / RFC 6125) for TLS >>> negotiations. >>> >>> 7. Require support for CRLs/OCSP to detect expired/revoked certs. >>> >>> And there are probably more. >> >> DNSSEC and DANE verification to avoid requiring third party certificate >> authorities (beyond "DNS management")? > > > I might be wrong, but DANE still requires CA to sign your certfiles. >
You're wrong, actually. But what Phil suggested here was using it for CA pinning, where the certificate is signed by a CA not in your list of trust anchors, where trust in the chain derives from DNSSEC. As a more complete explanation, dnssec allows records that publish the CA, or certificate, of a service, and whether it is the only such object acceptable or whether it is merely additionally acceptable (ie, if normal PKIX rules apply as well or not). Very flexible, very powerful, well with looking into. > -- > Regards, > Evgeniy Khramtsov, ProcessOne. > xmpp:x...@jabber.ru. >
