In message <alpine.LSU.2.00.0811131135530.14367@xxxxxxxxxxxxxxxxxxxxxx>, Tony F inch writes: > You also need the server to provide a verifiable TLS certificate. The vast > majority of them are not. This problem is perhaps even harder to fix than > the lack of DNSSEC. Just use DNSSEC and CERT records to do that. If self signed, look in the DNS for the CERT. Accept if signed and validated by DNSSEC. Have a low TTL on the CERT so as to not blow the DNS cache (caches can enforce this if needed) and maintain a on disk cache of the certs retrieved via the DNS as they have their own validitiy period. Attempt to retieve a new one via DNS of the on disk one doesn't match. Certs that are signed by private CAs are harder to deal with as you don't have the linkage from the name to the CA. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@xxxxxxx _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf