It appears that Watson Ladd <watsonbl...@gmail.com> said: >To my mind the registry should be able to issue X509 certs for second >level domains/whoever controls a public suffix. After all, they know >where you change DNS. Haven't sorted out how to deal with the level >below that. Do others find this line of thought compelling?
If you expect the resolver to pass through an entire X509 cert, how about just making it pass through the chain of DNSSEC signatures to make it easy for a stub or client to check them? R's, John _______________________________________________ Uta mailing list -- uta@ietf.org To unsubscribe send an email to uta-le...@ietf.org
