summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNikos Mavrogiannopoulos <nmav@gnutls.org>2013-02-19 00:05:57 +0100
committerNikos Mavrogiannopoulos <nmav@gnutls.org>2013-02-19 00:05:57 +0100
commit7c1e00484547da87d77ccf57c1c6bdbac430a958 (patch)
treee89304c7706d5ec8d9f38ca7d57f95b5e4f97e68
parent704190975aa6202ad7c37fc2d692688a3ad07417 (diff)
downloadgnutls-7c1e00484547da87d77ccf57c1c6bdbac430a958.tar.gz
Documented the DANE situation in gnutls. Suggested by Gabor Toth.
-rw-r--r--doc/cha-cert-auth.texi7
1 files changed, 7 insertions, 0 deletions
diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi
index 63ad6ccdb4..10ab9cf807 100644
--- a/doc/cha-cert-auth.texi
+++ b/doc/cha-cert-auth.texi
@@ -511,6 +511,13 @@ The DANE functionality is provided by the @code{libgnutls-dane} library that is
with GnuTLS and the function prototypes are in @code{gnutls/dane.h}.
See @ref{Certificate verification} for information on how to use the library.
+Note however, that the DANE RFC mandates the verification methods
+one should use in addition to the validation via DNSSEC TLSA entries.
+GnuTLS doesn't follow that RFC requirement, and the term DANE verification
+in this manual refers to the TLSA entry verification. In GnuTLS any
+other verification methods can be used (e.g., PKIX or TOFU) on top of
+DANE.
+
@node Digital signatures
@subsection Digital signatures
@cindex digital signatures