In message
<alpine(_dot_)LSU(_dot_)2(_dot_)00(_dot_)0811131135530(_dot_)14367(_at_)hermes-1(_dot_)csi(_dot_)cam(_dot_)ac(_dot_)uk>,
Tony F
inch writes:
You also need the server to provide a verifiable TLS certificate. The vast
majority of them are not. This problem is perhaps even harder to fix than
the lack of DNSSEC.
Just use DNSSEC and CERT records to do that.
If self signed, look in the DNS for the CERT. Accept if
signed and validated by DNSSEC. Have a low TTL on the CERT
so as to not blow the DNS cache (caches can enforce this
if needed) and maintain a on disk cache of the certs retrieved
via the DNS as they have their own validitiy period. Attempt
to retieve a new one via DNS of the on disk one doesn't
match.
Certs that are signed by private CAs are harder to deal
with as you don't have the linkage from the name to the
CA.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews(_at_)isc(_dot_)org
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf