Matthew Ernisse matt at going-flying.com
Mon Mar 1 01:27:51 GMT 2021
- - - - - - - - - - - - - - - - - - -
On Sun, Feb 28, 2021 at 08:32:53PM +0100, Solene Rapenne said unto me:
2) If 1 is invalid, let's (introduce something new here) check if
DNS doesn't have a TXT field with the certificate fingerprint and
see if it matches the current one, accept if OK
I think this is the perfect use of the TLSA record, instead of introductinga new use of TXT. It is already used by DANE to provide trust outside ofthe CA structure.
--Matt
---Matthew Ernissematt at going-flying.comhttps://www.going-flying.com/