<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Am 30.11.2016 um 21:57 schrieb sivmu:<br>
</div>
<blockquote cite="mid:a492fb47-869f-164b-8780-8874533f7c61@web.de"
type="cite">
<pre wrap="">when pinning your certificates you can include one whose
coresponding key is not on the machine but acts as the backup key, maybe
even offline.</pre>
</blockquote>
<br>
<p><font face="Arial">Not "can", its not an option it is mandatory!</font></p>
<p><font face="Arial">The browsers will NOT accept HPKP pinning if
you don't add an currently unused backup key.</font></p>
<br>
Regarding DANE and HTTPS: It's not the Client who checks the
TLSA-Records and verifies the KSK/ZSK Signatures, it's your
Nameserver. Only few people host theyr own Nameserver at home or on
theyr smartphone etc... - usually the Nameserver of your ISP is used
- so: just intercept the last mile and DANE is broken.<br>
<br>
</body>
</html>