diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2013-02-19 00:05:57 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2013-02-19 00:05:57 +0100 |
commit | 7c1e00484547da87d77ccf57c1c6bdbac430a958 (patch) | |
tree | e89304c7706d5ec8d9f38ca7d57f95b5e4f97e68 /doc/cha-cert-auth.texi | |
parent | 704190975aa6202ad7c37fc2d692688a3ad07417 (diff) | |
download | gnutls-7c1e00484547da87d77ccf57c1c6bdbac430a958.tar.gz |
Documented the DANE situation in gnutls. Suggested by Gabor Toth.
Diffstat (limited to 'doc/cha-cert-auth.texi')
-rw-r--r-- | doc/cha-cert-auth.texi | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi index 63ad6ccdb4..10ab9cf807 100644 --- a/doc/cha-cert-auth.texi +++ b/doc/cha-cert-auth.texi @@ -511,6 +511,13 @@ The DANE functionality is provided by the @code{libgnutls-dane} library that is with GnuTLS and the function prototypes are in @code{gnutls/dane.h}. See @ref{Certificate verification} for information on how to use the library. +Note however, that the DANE RFC mandates the verification methods +one should use in addition to the validation via DNSSEC TLSA entries. +GnuTLS doesn't follow that RFC requirement, and the term DANE verification +in this manual refers to the TLSA entry verification. In GnuTLS any +other verification methods can be used (e.g., PKIX or TOFU) on top of +DANE. + @node Digital signatures @subsection Digital signatures @cindex digital signatures |