John: > This may be way off topic, if I apologise. > > Looking a the available CAs many of them do not seem to pass the > /s//niff test//./ WoSign/Startcom are not alone in being found to be > either incompetent or dishonest. Which made me wonder if there might be > an alternative to CA issued certs. Is there anyway that DNS/DNSSEC could > be used to publish and verify certs.
DANE can be used to implement TLS authentication without PKI.
Available in Postfix since 2.11.
Wietse
