dnssec-trigger + GNOME + NetworkManager integration

Mike Pinkerton pselists at mindspring.com
Fri Jul 3 15:21:29 UTC 2015

On 3 Jul 2015, at 10:44, Michael Catanzaro wrote:

> On Fri, 2015-07-03 at 15:43 +0200, Petr Spacek wrote:
>> For the record, and all this can be solved by DNSSEC + DANE. See RFC
>> 6698.
> I was planning to use DANE as a second required check in addition to
> the normal certificate chain. That is, if either the certificate chain
> doesn't check out or DANE fails, then something is spooky and the site
> should be inaccessible. Other browsers are throwing around ideas about
> using DANE to make the site accessible in the event the certificate
> chain fails, which seems like the wrong direction to me. I haven't
> really seen any good arguments in favor of one approach or the other,
> though.

Isn't the whole point to eliminate the need for third party  
certificate authorities entirely?

Just to clarify what you are saying -- if there is a third party  
certificate chain which fails, then you would distrust the site.  But  
if there is no third party certificate authority chain, and DANE  
succeeds, then you would accept the DANE-provided certificate and  
trust the site.


More information about the devel mailing list