Yes, I understand DANE can be used for MTAs. My musing is could it completely replace the existing CA mess, and I suppose the follow up is how?


On September 30, 2016 09:12:30 wie...@porcupine.org (Wietse Venema) wrote:

John:
This may be way off topic, if I apologise.

Looking a the available CAs many of them do not seem to pass the
/s//niff test//./ WoSign/Startcom are not alone in being found to be
either incompetent or dishonest. Which made me wonder if there might be
an alternative to CA issued certs. Is there anyway that DNS/DNSSEC could
be used to publish and verify certs.

DANE can be used to implement TLS authentication without PKI.
Available in Postfix since 2.11.

        Wietse


Reply via email to