[Operators] IM Observatory @ xmpp.net
Phil Pennock
xmpp-operators+phil at spodhuis.org
Wed Oct 30 21:58:19 UTC 2013
On 2013-10-30 at 10:17 +0100, Tomek Nagisa wrote:
> > Looks cool. Is there an intention to support TLSA+DNSSEC
> > providing a trust anchor to override the automatic F grade
> > for having an untrusted CA cert?
>
> Change TLSA record from "IN TLSA (2 0 0 ..." to " IN TLSA (3 0 0 "?
No, because the TLSA record is for the CA, not for the server
certificate. I have TLSA records for each CA I have certs for, and then
the relevant anchor names have CNAMEs pointing to the relevant CA
record.
I will be changing from "2 0 0" to something smaller, to avoid packet
size issues, at some point in the future; this is why I've made sure
that the trust anchor cert is included in the cert chain sent inside
TLS as part of the handshake. Viktor Dukhovni has a relevant Draft out
on operational concerns which explains this well. In fact, it looks
like it's been renamed and taken on as an IETF WG product:
draft-ietf-dane-ops-01.txt.
http://tools.ietf.org/html/draft-ietf-dane-ops-01
-Phil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 163 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/operators/attachments/20131030/f7691a4c/attachment.pgp>
More information about the Operators
mailing list