On Fri, 2015-07-03 at 11:21 -0400, Mike Pinkerton wrote: > Isn't the whole point to eliminate the need for third party > certificate authorities entirely? Well I think you could choose to do that, or you could choose to use it as an additional security measure on top of traditional certificate authorities. > Just to clarify what you are saying -- if there is a third party > certificate chain which fails, then you would distrust the site. But > > if there is no third party certificate authority chain, and DANE > succeeds, then you would accept the DANE-provided certificate and > trust the site. I was thinking to require both to work, instead of just one or the other. Seems like that would make life hardest for the attacker. Anyway, we'll probably wait for some major browser to use DANE first (probably won't be Chrome [1]) and then copy what they do for GNOME. Michael [1] https://www.imperialviolet.org/2015/01/17/notdane.html -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
