dnssec-trigger + GNOME + NetworkManager integration
Mike Pinkerton
pselists at mindspring.com
Fri Jul 3 15:21:29 UTC 2015
On 3 Jul 2015, at 10:44, Michael Catanzaro wrote:
> On Fri, 2015-07-03 at 15:43 +0200, Petr Spacek wrote:
>> For the record, and all this can be solved by DNSSEC + DANE. See RFC
>> 6698.
>
> I was planning to use DANE as a second required check in addition to
> the normal certificate chain. That is, if either the certificate chain
> doesn't check out or DANE fails, then something is spooky and the site
> should be inaccessible. Other browsers are throwing around ideas about
> using DANE to make the site accessible in the event the certificate
> chain fails, which seems like the wrong direction to me. I haven't
> really seen any good arguments in favor of one approach or the other,
> though.
Isn't the whole point to eliminate the need for third party
certificate authorities entirely?
Just to clarify what you are saying -- if there is a third party
certificate chain which fails, then you would distrust the site. But
if there is no third party certificate authority chain, and DANE
succeeds, then you would accept the DANE-provided certificate and
trust the site.
--
Mike
More information about the devel
mailing list