Documented the DANE situation in gnutls. Suggested by Gabor Toth.

author: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2013-02-19 00:05:57 +0100
committer: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2013-02-19 00:05:57 +0100
commit: 7c1e00484547da87d77ccf57c1c6bdbac430a958 (patch)
tree: e89304c7706d5ec8d9f38ca7d57f95b5e4f97e68
parent: 704190975aa6202ad7c37fc2d692688a3ad07417 (diff)
download: gnutls-7c1e00484547da87d77ccf57c1c6bdbac430a958.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi
index 63ad6ccdb4..10ab9cf807 100644
--- a/doc/cha-cert-auth.texi
+++ b/doc/cha-cert-auth.texi
@@ -511,6 +511,13 @@ The DANE functionality is provided by the @code{libgnutls-dane} library that is
 with GnuTLS and the function prototypes are in @code{gnutls/dane.h}. 
 See @ref{Certificate verification} for information on how to use the library.
 
+Note however, that the DANE RFC mandates the verification methods
+one should use in addition to the validation via DNSSEC TLSA entries.
+GnuTLS doesn't follow that RFC requirement, and the term DANE verification
+in this manual refers to the TLSA entry verification. In GnuTLS any 
+other verification methods can be used (e.g., PKIX or TOFU) on top of
+DANE.
+
 @node Digital signatures
 @subsection Digital signatures
 @cindex digital signatures
author	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2013-02-19 00:05:57 +0100
committer	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2013-02-19 00:05:57 +0100
commit	7c1e00484547da87d77ccf57c1c6bdbac430a958 (patch)
tree	e89304c7706d5ec8d9f38ca7d57f95b5e4f97e68
parent	704190975aa6202ad7c37fc2d692688a3ad07417 (diff)
download	gnutls-7c1e00484547da87d77ccf57c1c6bdbac430a958.tar.gz