In article <alpine.deb.2.02.1611301658190.3...@uplift.swm.pp.se> you write:
>On Wed, 30 Nov 2016, Matt Larson wrote:
>
>> Did you see my message earlier in the thread?  Is there a reason you 
>> don't include a third option: retrieving the trust anchor file published 
>> by IANA/PTI (https://data.iana.org/root-anchors/root-anchors.xml) and 
>> validating with the detached S/MIME signature published in the same 
>> place (https://data.iana.org/root-anchors/root-anchors.p7s)?  That 
>> signature chains to the ICANN CA cert, which currently expires in 2029. 
>> Sure, it's more code, but it can all be done with OpenSSL, for example.
>
>This sunds like a workable solution.
>
>It would be great if ICANN could write a document outlining how to do 
>this and perhaps even provide FOSS example code.

$ wget https://data.iana.org/root-anchors/root-anchors.xml
$ wget https://data.iana.org/root-anchors/root-anchors.p7s
$ openssl smime -verify -in root-anchors.p7s -inform der -content 
root-anchors.xml -noverify

If you have the ICANN CA cert lying around, replace -noverify with -CAfile 
<cacertfile>


R's,
John

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to