On Fri, 14 Nov 2008, Mark Andrews wrote:
In message
<alpine.LSU.2.00.0811131135530.14367@xxxxxxxxxxxxxxxxxxxxxx>, Tony F
inch writes:
You also need the server to provide a verifiable TLS certificate.
The vast majority of them are not. This problem is perhaps even
harder to fix than the lack of DNSSEC.
Just use DNSSEC and CERT records to do that.
...>
If self signed, look in the DNS for the CERT. Accept if
signed and validated by DNSSEC.
How does an application do "accept if signed and validated by DNSSEC"?
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
_______________________________________________
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf