Confirm
298
edits
Changes
no edit summary
This mechanism prevents CAs mis-issuing certificates. If a CA issues a certificate it was not supposed to, and that certificate gets used, it will not match the contents of the DANE/CAA record. Of course, the server with the bad certificate could simply omit the DNSSEC chain, so if none is sent, perhaps we should perform the out of band DNSSEC chain verification ourselves.
== Verifying a DNSSEC Chain Chains ==
The process of verifying a DNSSEC chain is discussed in general [[Security/DNSSEC-TLS/Background#Verifying a DNSSEC Chain|here]].A proposal for the serialization of a DNSSEC chain is [http://tools.ietf.org/html/draft-agl-dane-serializechain-00 here]. Note that this proposal does not follow exactly the wire format of DNS records. Consequently, preexisting code cannot be used to serialize, parse, or validate the chain. Additionally, more flexibility means more opportunities for insecure verifier behavior.
== Google Chrome ==
