1 Mar
2015
1 Mar
'15
8:37 p.m.
Viktor Dukhovni wrote:
The two models coexist seamlessly, and many existing DANE SMTP sites use certificates from a public CA.
But you switch off X.509 validation if DANE is used.
I'd like to see DNSSEC/DANE/TLSA as an *additional* mechanism but still requiring X.509 validation to be fully performed. With this multiple trust anchors would be effective which is IMO the real solution.
Ciao, Michael.