On 2018-11-08 20:41 -0500, Jim Reid wrote:
On 8 Nov 2018, at 08:44, Ryan Carboni <rya...@gmail.com> wrote:
This might be a radical proposal, but maybe the certificate hash could be
placed in a DNS TXT record.
[..]
If you need to put this hash in the DNS, you might as well get a type code
assigned for a specifc RR to do that.
Which is exactly what TLSA records are for (RFC 6698), and its type 3:
3 -- Certificate usage 3 is used to specify a certificate, or the
public key of such a certificate, that MUST match the end entity
certificate given by the server in TLS. This certificate usage is
sometimes referred to as "domain-issued certificate" because it
allows for a domain name administrator to issue certificates for a
domain without involving a third-party CA. The target certificate
MUST match the TLSA record. The difference between certificate
usage 1 and certificate usage 3 is that certificate usage 1
requires that the certificate pass PKIX validation, but PKIX
validation is not tested for certificate usage 3.
--
Patrick Mevzek
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
