diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2014-08-10 21:52:24 +0100 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2014-08-10 21:52:24 +0100 |
| commit | eeb9276b22cd991157c46a068a85ffe59b948d75 (patch) | |
| tree | 5b307402b8779e4668e16aea2462a3de4972c0c6 /doc | |
| parent | 82525c6fc2b2c12202b93250c2774bf50baae300 (diff) | |
Enable OCSP
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/doc-txt/experimental-spec.txt | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt index f1414287d..b1b89e007 100644 --- a/doc/doc-txt/experimental-spec.txt +++ b/doc/doc-txt/experimental-spec.txt @@ -1234,7 +1234,8 @@ must have a correct name (SubjectName or SubjectAltName). The use of OCSP-stapling should be considered, allowing for fast revocation of certificates (which would otherwise -be limited by the DNS TTL on the TLSA records). +be limited by the DNS TTL on the TLSA records). However, +this is likely to only be usable with DANE_TA. For client-side DANE there are two new smtp transport options, @@ -1252,12 +1253,13 @@ If dane is in use the following transport options are ignored: tls_verify_certificates tls_crl tls_verify_cert_hostnames - hosts_require_ocsp (might rethink those two) - hosts_request_ocsp Currently dnssec_request_domains must be active (need to think about that) and dnssec_require_domains is ignored. +If verification was successful using DANE then the "CV" item +in the delivery log line will show as "CV=dane". + -------------------------------------------------------------- End of file |