Just a question (quick).
You probably saw the relatively new CAA record for DNS. This (great) record provides a
means to get the address of a CA for a given DNS domain.
Firstly, it is unclear to me why the old SRV records are not used as they essentially do
the same. You may think of creating an SRV record for _pkica.<domain> that would
provide a CA's IP address.
Then my question is : why is this SRV not used on linux boxes ? This would provide a means
to retrieve automatically a certificate/public key for a given user and avoid setting
configs (i.e. ldap.conf) on the client side. In other tertms, don't we need a CAA
equivalent for Directories ?
Show replies by date