In article <alpine.deb.2.02.1611301658190.3...@uplift.swm.pp.se> you write: >On Wed, 30 Nov 2016, Matt Larson wrote: > >> Did you see my message earlier in the thread? Is there a reason you >> don't include a third option: retrieving the trust anchor file published >> by IANA/PTI (https://data.iana.org/root-anchors/root-anchors.xml) and >> validating with the detached S/MIME signature published in the same >> place (https://data.iana.org/root-anchors/root-anchors.p7s)? That >> signature chains to the ICANN CA cert, which currently expires in 2029. >> Sure, it's more code, but it can all be done with OpenSSL, for example. > >This sunds like a workable solution. > >It would be great if ICANN could write a document outlining how to do >this and perhaps even provide FOSS example code.
$ wget https://data.iana.org/root-anchors/root-anchors.xml $ wget https://data.iana.org/root-anchors/root-anchors.p7s $ openssl smime -verify -in root-anchors.p7s -inform der -content root-anchors.xml -noverify If you have the ICANN CA cert lying around, replace -noverify with -CAfile <cacertfile> R's, John _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop