On Jan 10, 2020, at 9:45 AM, Dan Wing <danw...@gmail.com> wrote: > The signature could be retrieved and validated separately from the stamp > itself. For example, after getting the DNS stamp, retrieve a well-known DNS > object (TXT, new RR, whatever) which is signed by the external entity. That > would keep the signature short and keep the problem away from the signature. > With that, DoH could obtain the signature from the TLS certificate itself, if > we wanted, rather than by retrieving a (DNS) object
Sure, if the stamp had a validation process, that would address one of the issues I raised. :) _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
