[spec] Certificate trust

Matthew Ernisse matt at going-flying.com
Mon Mar 1 01:27:51 GMT 2021


On Sun, Feb 28, 2021 at 08:32:53PM +0100, Solene Rapenne said unto me:
> 2) If 1 is invalid, let's (introduce something new here) check if
> DNS doesn't have a TXT field with the certificate fingerprint and
> see if it matches the current one, accept if OK

I think this is the perfect use of the TLSA record, instead of introducting
a new use of TXT.  It is already used by DANE to provide trust outside of
the CA structure.

--Matt

---
Matthew Ernisse
matt at going-flying.com
https://www.going-flying.com/


More information about the Gemini mailing list