[Cryptech Tech] Some problems with the repo access

Rob Austein sra at hactrn.net
Fri Feb 14 14:47:39 UTC 2014


At Fri, 14 Feb 2014 22:42:44 +0900, Randy Bush wrote:
> 
> > I might use one of the forms that covers the CA rather than just the
> > EE, but I don't care enough to argue, and I already know that Randy
> > disagrees with me on this, so it would be an argument.
> 
> nope.  i was in error.  i just needed a recipe for the correct hack.

Well, the question is really to Jakob, as author of the specification
in question and more clueful than I about how it really works.

Would it suffice to add:

_443._tcp.cryptech.is.  IN  CNAME  ca.hactrn.net.

?

In theory this supplies the missing X.509 CA directly, by stuffing it
into a signed DNS zone (already done) then using CNAMEs like this to
indicate where to find that CA whenever needed to covers an EE
certificate.  In practice, I don't know of any software that knows how
to test this yet, so I don't know whether I even got it right, much
less whether any of the target software will notice or care.



More information about the Tech mailing list