[spec] Certificate trust

Matthew Ernisse matt at going-flying.com
Mon Mar 1 01:27:51 GMT 2021

On Sun, Feb 28, 2021 at 08:32:53PM +0100, Solene Rapenne said unto me:
> 2) If 1 is invalid, let's (introduce something new here) check if
> DNS doesn't have a TXT field with the certificate fingerprint and
> see if it matches the current one, accept if OK

I think this is the perfect use of the TLSA record, instead of introducting
a new use of TXT.  It is already used by DANE to provide trust outside of
the CA structure.


Matthew Ernisse
matt at going-flying.com

More information about the Gemini mailing list