On Wed, 30 Nov 2016, Matt Larson wrote:
Did you see my message earlier in the thread? Is there a reason you
don't include a third option: retrieving the trust anchor file published
by IANA/PTI (https://data.iana.org/root-anchors/root-anchors.xml) and
validating with the detached S/MIME signature published in the same
place (https://data.iana.org/root-anchors/root-anchors.p7s)? That
signature chains to the ICANN CA cert, which currently expires in 2029.
Sure, it's more code, but it can all be done with OpenSSL, for example.
This sunds like a workable solution.
It would be great if ICANN could write a document outlining how to do
this and perhaps even provide FOSS example code.
--
Mikael Abrahamsson email: swm...@swm.pp.se
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
