[spec] Certificate trust

Matthew Ernisse matt at going-flying.com
Mon Mar 1 01:27:51 GMT 2021

Previous message (by thread): [spec] Certificate trust
Next message (by thread): [spec] Certificate trust
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, Feb 28, 2021 at 08:32:53PM +0100, Solene Rapenne said unto me:
> 2) If 1 is invalid, let's (introduce something new here) check if
> DNS doesn't have a TXT field with the certificate fingerprint and
> see if it matches the current one, accept if OK

I think this is the perfect use of the TLSA record, instead of introducting
a new use of TXT.  It is already used by DANE to provide trust outside of
the CA structure.

--Matt

---
Matthew Ernisse
matt at going-flying.com
https://www.going-flying.com/

Previous message (by thread): [spec] Certificate trust
Next message (by thread): [spec] Certificate trust
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list