On 23 Aug 2013 08:56, "Evgeniy Khramtsov" <xramt...@gmail.com> wrote: > > On 23.08.2013 17:43, Dave Cridland wrote: >> >> >> You're wrong, actually. But what Phil suggested here was using it for CA pinning, where the certificate is signed by a CA not in your list of trust anchors, where trust in the chain derives from DNSSEC. >> >> As a more complete explanation, dnssec allows records that publish the CA, or certificate, of a service, and whether it is the only such object acceptable or whether it is merely additionally acceptable (ie, if normal PKIX rules apply as well or not). Very flexible, very powerful, well with looking into. >> > > I admit I'm total noob in all that CA/PKIX/DNSSEC stuff as it makes me sleepy as hell when I try to dive into it ;) What I'd like to have is TLS-security without any CAs at all. If we can do that with DANE/DNSSEC/ABCD, I'm in ;) > >
Right, you can do that, but you can also run your own private CA, and have the benefits of both. > -- > Regards, > Evgeniy Khramtsov, ProcessOne. > xmpp:x...@jabber.ru. >