There are some conflicts between the STS standard and the DANE specification.
The current STS draft states[1]:
from section 2.2:
The UA terminates, without user recourse, any secure transport
connection attempts upon any and all secure transport errors or
warnings, including those caused by a site presenting self-signed
certificates.
This means we cannot use dane certificate associations for self-signed certificates together with STS. We currently work around this problem by rewriting the URL to HTTPS, but we feel that this is an ugly solution.
There are some conflicts between the STS standard and the DANE specification.
The current STS draft states[1]: from section 2.2:
This means we cannot use dane certificate associations for self-signed certificates together with STS. We currently work around this problem by rewriting the URL to HTTPS, but we feel that this is an ugly solution.
Todo:
[1] http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-00