> > How about a TXT record with the CN string of the CA cert subject in it? > > If it exists and there's a conflict, don't trust it. Seems simple > > enough to implement without too much collateral damage. > > Needs to be a DNSSEC-validated TXT record, or you've opened yourself up > to attacks via DNS poisoning (either insert a malicious TXT that matches > your malicious certificate, or insert a malicious TXT that intentionally > *doesn't* match the vicitm's certificate)....
And how do you validate the dnssec to make sure that noone has tampered with it. -- //fredan
