-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 8/23/13 1:55 AM, Evgeniy Khramtsov wrote: > On 23.08.2013 17:43, Dave Cridland wrote: >> >> You're wrong, actually. But what Phil suggested here was using it >> for CA pinning, where the certificate is signed by a CA not in >> your list of trust anchors, where trust in the chain derives from >> DNSSEC. >> >> As a more complete explanation, dnssec allows records that >> publish the CA, or certificate, of a service, and whether it is >> the only such object acceptable or whether it is merely >> additionally acceptable (ie, if normal PKIX rules apply as well >> or not). Very flexible, very powerful, well with looking into. >> > > I admit I'm total noob in all that CA/PKIX/DNSSEC stuff as it makes > me sleepy as hell when I try to dive into it ;) What I'd like to > have is TLS-security without any CAs at all. If we can do that > with DANE/DNSSEC/ABCD, I'm in ;)
I think we're all in -- or we *will* be when DANE/DNSSEC is widely deployed, which unfortunately won't happen for years (IMHO) because of all the dependencies on making it work. In the meantime, something like POSH can help: https://datatracker.ietf.org/doc/draft-miller-posh/ Peter - -- Peter Saint-Andre https://stpeter.im/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJSF5ooAAoJEOoGpJErxa2pgXgP/3soiRZBxOR/lntBUuYGlbn3 GvxqLqnQmuoJKmvzuMJjd9tLJxDPQqpE3KWRXP7k/Xer+5C4NYfreBdzegqq6xK5 07xiXy/2SDXzwDpB1IwD9obJ4UJDrKJaCd68C5RVDtdKQkp819XGJNKLRoaWNrtM QXdnn7tjs6cmrnGGlDkRe9YziCtWTxj2V2TTZTJVveZKa0SuA7BeuPvJjYxdKCjm AW+UoA51/KfddTb8bk+5hRmEuu/p1BiY5cLGdkbpw8fmZMuqBzOf0kqdvn/IWdJX 22lyEyG8ak3VEYkdie7D4NxdywBR6Fibz0w7+Wh8Evl4UjCDcazqh2UjRRcY1xgi ad3sAFaMY0WzQHLnSXCVjTK3P0vQCMoRbAoFUtCR2a8B6Qjh4qi7qP5H0kLBEzqY AYM+BZSAFCuJ1qKJEOK4+0mzPzmpMjw65f157b/JUXaz/DuJa/P/lDnFuPkd+ewU OGmXY8dmjyzHyxnqfXtMsoaeQnIjp/RzPzw8zzfB39CKoLL1fblsAGlIfe4Br1HS TIDbO7vaI1C1Wq+ZG3mnAAWWqN9R28vLnGv0s0dfbitS1SxQLZzYIzHZfI6UlxJJ RvmuXs2PiL+nLiKRXPc4i5XoAijhweCIHG2Uz1hDGnT7NEFofFEeXJDUcp5QmxxY AYCF3p60est5Tob0A61J =oCwH -----END PGP SIGNATURE-----