5 comments

[ 3.6 ms ] story [ 21.1 ms ] thread
That's the point; it uses DNSSec instead of the CA system.
host -t cert imperialviolet.org

imperialviolet.org has no CERT record

Still LOLing

> The DNSSEC stapled data is embedded in an X.509 certificate (as opposed to extending TLS or using a different certificate format) because every HTTPS server will take an X.509 certificate as an opaque blob and it Just Works. All the other possiblilies introduce significant barriers to adoption.

It's not in the CERT record. The DNSSEC signature chain is carried in the SSL cert.