README.md (613B)
- # CA certificates
- Notes:
- * CAs are deprecated (for me), we should use alternatives (DANE is good, maybe a TLS-side HPKP, DNSSEC should be replaced with DNSCrypt or equivalent). So this is only for like… backward compatibility but still staying secure.
- ## Rules
- - CA root file MUST be OpenPGP signed or equivalent
- - Certification Autorities SHOULD verify owning of the address/domain and MUST NOT create know fake certificates
- - SHOULD follow latest recomendations/rules of cryptography (RFC, parts of : NSA, NIST, ANSSI)
- ## Dependencies
- * POSIX system
- * Internet (downloading CA root certificates)
- * OpenPGP