Guido Witmond
2017-03-23 23:20:08 UTC
Hi,
I've this web site for which I've enabled a Let's Encrypt server
certificate.
Now I have the choice of either PKIX-TA (TLSA 0 x y) or DANE-DA (TLSA 2
x y) records, or both.
My main question is: What's the value of choosing one above the other?
If I chose PKIX-TA, it means that a client who doesn't have the Let's
Encrypt root certificate in their CA-store won't accept my certificate/site.
On the other hand, if I chose DANE-TA, are there any clients who won't
accept my certificate/site because it might not be part of the clients
list of vakid CA's?
Browsing the web, I hardly see any pages argue for PKIX-TA (0 x y) TLSA
records. Is the consensus that DANE-TA is sufficient to make clients
accept my site when the records match the site?
In other words: which one (PKIX-TA or TLSA-TA) to chose?
Cheers, Guido Witmond
I've this web site for which I've enabled a Let's Encrypt server
certificate.
Now I have the choice of either PKIX-TA (TLSA 0 x y) or DANE-DA (TLSA 2
x y) records, or both.
My main question is: What's the value of choosing one above the other?
If I chose PKIX-TA, it means that a client who doesn't have the Let's
Encrypt root certificate in their CA-store won't accept my certificate/site.
On the other hand, if I chose DANE-TA, are there any clients who won't
accept my certificate/site because it might not be part of the clients
list of vakid CA's?
Browsing the web, I hardly see any pages argue for PKIX-TA (0 x y) TLSA
records. Is the consensus that DANE-TA is sufficient to make clients
accept my site when the records match the site?
In other words: which one (PKIX-TA or TLSA-TA) to chose?
Cheers, Guido Witmond