On Monday, July 13, 2015 10:47:11 pm Viktor Dukhovni wrote: > Furthermore, DANE-EE(3) clients and certificate pinning clients > cannot use anon_DH, they still a recognizable certificate from the > server, they just often don't need a recognizable signature. Even > DANE-TA(2) clients might be able to stop part-way up the chain > before the objectionable signature appears.
Generic open-ended question: Is there anything else with regard to getting DANE working more smoothly that needs addressing? The current CA-based system generally sucks, and whilst not everyone agrees that DANE is currently the ideal alternative, fixing issues inhibiting it could improve things here. It really would be nice if TLS 1.3 was as DANE-friendly as possible so we can start getting support built into more clients and be less reliant on the current mess. Dave _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
