On Fri, 2015-07-03 at 15:43 +0200, Petr Spacek wrote: > For the record, and all this can be solved by DNSSEC + DANE. See RFC > 6698. I was planning to use DANE as a second required check in addition to the normal certificate chain. That is, if either the certificate chain doesn't check out or DANE fails, then something is spooky and the site should be inaccessible. Other browsers are throwing around ideas about using DANE to make the site accessible in the event the certificate chain fails, which seems like the wrong direction to me. I haven't really seen any good arguments in favor of one approach or the other, though. Michael -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
