* My suggestion with something similar to DANE and DKIM (in utilizing DNS and DNSSEC), DNS TXT record is already been used by acme protocol to pass a challenge, so why not use similar implementation to authenticate the server itself for the client, so the client can verify the certificate and the chain, without a third-party.
No third-party is needed. The client has to trust *something* out of band. In a browser, this is typically the root store, and any CA trust chain should end up being signed by something in that store. Other clients have different methods, but they are ultimately a set of trusted “root anchors.” If you put data in DNS, then the client has to trust DNS and the chain that signed that data. I think we’re struggling to understand the issue you are trying to raise.
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
