[Operators] IM Observatory @ xmpp.net

Phil Pennock xmpp-operators+phil at spodhuis.org
Wed Oct 30 21:58:19 UTC 2013


On 2013-10-30 at 10:17 +0100, Tomek Nagisa wrote:
> > Looks cool.  Is there an intention to support TLSA+DNSSEC 
> > providing a trust anchor to override the automatic F grade
> > for having an untrusted CA cert?
> 
> Change TLSA record from "IN TLSA (2 0 0 ..." to " IN TLSA (3 0 0 "?

No, because the TLSA record is for the CA, not for the server
certificate.  I have TLSA records for each CA I have certs for, and then
the relevant anchor names have CNAMEs pointing to the relevant CA
record.

I will be changing from "2 0 0" to something smaller, to avoid packet
size issues, at some point in the future; this is why I've made sure
that the trust anchor cert is included in the cert chain sent inside
TLS as part of the handshake.  Viktor Dukhovni has a relevant Draft out
on operational concerns which explains this well.  In fact, it looks
like it's been renamed and taken on as an IETF WG product:
draft-ietf-dane-ops-01.txt.

http://tools.ietf.org/html/draft-ietf-dane-ops-01

-Phil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 163 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/operators/attachments/20131030/f7691a4c/attachment.pgp>


More information about the Operators mailing list