[Cryptech Tech] Some problems with the repo access
Rob Austein
sra at hactrn.net
Fri Feb 14 14:47:39 UTC 2014
At Fri, 14 Feb 2014 22:42:44 +0900, Randy Bush wrote:
>
> > I might use one of the forms that covers the CA rather than just the
> > EE, but I don't care enough to argue, and I already know that Randy
> > disagrees with me on this, so it would be an argument.
>
> nope. i was in error. i just needed a recipe for the correct hack.
Well, the question is really to Jakob, as author of the specification
in question and more clueful than I about how it really works.
Would it suffice to add:
_443._tcp.cryptech.is. IN CNAME ca.hactrn.net.
?
In theory this supplies the missing X.509 CA directly, by stuffing it
into a signed DNS zone (already done) then using CNAMEs like this to
indicate where to find that CA whenever needed to covers an EE
certificate. In practice, I don't know of any software that knows how
to test this yet, so I don't know whether I even got it right, much
less whether any of the target software will notice or care.
More information about the Tech
mailing list