Web SSL Certificates verified by DNSSEC-protected DNS records (DANE TLSA)
-
mgaudin last edited by
If I visit a https website which uses a self signed certificate and has valid TLSA Records protected by DNSSEC according to RFC-6698 and RFC-7218 (e.g. https://www.udin.ch), Opera comes up with the usual warning message because it validates against Trusted Root CAs only.
Opera should prefer and honor DNSSEC-validated TLSA before falling back to "classic" Root CA TLS verification. This would enable everyone to use their own self-signed certificates and give a real motivation to implement DNSSEC.